Remote Code Execution via traversal in expressions part 2

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.20
  • 4.3.2
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.1
  • 4.3

Vulnerability

This is an extension of the other traversal expressions vulnerability reported for this hotfix. The new one was found only after the hotfix was released. The original vulnerability was for untrusted modules that were available even though they were not meant to, being imported by a trusted module using an alias starting with underscore to mark them private. The new vulnerability is that untrusted modules may still be available when being imported by trusted modules using their original name. By default, you need to have the Manager role to exploit this. This vulnerability was first fixed in version 1.4 of the hotfix.

Current status

Hotfixed. Fix released in Zope 4.6.1 and 5.2.1.

Credits

Discovered by

  • Calum Hutton

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team