Information disclosures: mostly installation logs

Versions affected

  • 5.2.4
  • 5.2.3
  • 5.2.2
  • 5.2.1
  • 5.2.0
  • 5.1rc2
  • 5.1rc1
  • 5.1b4
  • 5.1b3
  • 5.1b2
  • 5.1a2
  • 5.1a1
  • 5.1.7
  • 5.1.6
  • 5.1.5
  • 5.1.4
  • 5.1.2
  • 5.1.1
  • 5.1
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 5.0.9
  • 5.0.8
  • 5.0.7
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.10
  • 5.0.1
  • 5.0
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.20
  • 4.3.2
  • 4.3.19
  • 4.3.18
  • 4.3.17
  • 4.3.15
  • 4.3.14
  • 4.3.12
  • 4.3.11
  • 4.3.10
  • 4.3.1
  • 4.3

Vulnerability

Various URLs give information to anonymous users that is intended to remain secret. This includes installation logs. Depending on add-ons and custom code, these might contain passwords, tokens or other secret keys.

Current status

Fixes have already been released in Products.PluggableAuthService 2.6.0, Products.GenericSetup 2.1.1, Zope 4.5.5, and Products.CMFQuickInstallerTool 4.0.4. This hotfix contains patches for older releases.

Credits

Discovered by

  • Calum Hutton

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team