Remote Code Execution via traversal in expressions with aliases

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.20
  • 4.3.2
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.1
  • 4.3

Vulnerability

Most Python modules are not available for using in expressions that you can add through-the-web, for example in the parameters of a Diazo theme. This is mostly to avoid file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly. By default, you need to have the Manager role to exploit this.

Current status

Hotfixed. Fix released in Zope 4.6 and 5.2.

Credits

Discovered by

  • David Miller

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team