Information disclosures: mostly installation logs
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
Various URLs give information to anonymous users that is intended to remain secret. This includes installation logs. Depending on add-ons and custom code, these might contain passwords, tokens or other secret keys.
Current status
Fixes have already been released in Products.PluggableAuthService 2.6.0, Products.GenericSetup 2.1.1, Zope 4.5.5, and Products.CMFQuickInstallerTool 4.0.4.
This hotfix contains patches for older releases.
Credits
Discovered by
- Calum Hutton
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team