oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Plone security advisory 2023/09/21

From: Maurits van Rees <maurits () vanrees org>
Date: Fri, 22 Sep 2023 12:14:42 +0200
Various vulnerabilities in Plone and Zope have been reported and fixed. They affect all supported Plone versions: 5.2 and 6.0. Older Plone versions are likely also affected. There will be no traditional hotfix package for these: you should update the version pins of individual packages. See [this post](https://community.plone.org/t/less-plone-hotfix-packages/17931?u=mauritsvanrees) about why we do less hotfix packages. 

The information can be found here:
https://community.plone.org/t/plone-security-advisory-2023-09-21/17941
https://plone.org/security/hotfix/20230921

The text is included below.


## Denial of service
In `plone.rest` when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Security advisory: [CVE-2023-42457](https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq). 

## Stored XSS
There is a stored cross site scripting vulnerability for SVG images. A [security hotfix from 2021](https://github.com/plone/Products.PloneHotfix20210518) already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for *scales* of SVG images. And it exists for *user portraits*, both in Volto and ClassicUI.
Technically, ClassicUI is not vulnerable for the user portrait part, because you cannot upload an SVG as user portrait. But in Volto you can, so you may be able to access a vulnerable url in the backend anyway.
Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload a malicious SVG image, and then trick a user into following a specially crafted link. 

Fixes are needed in three packages. We link to the security advisories:
* [`plone.namedfile`](https://github.com/plone/plone.namedfile/security/advisories/GHSA-jj7c-jrv4-c65x) CVE-2023-41048 * [`Zope`](https://github.com/zopefoundation/Zope/security/advisories/GHSA-wm8q-9975-xh5v) CVE-2023-42458 * [`plone.restapi`](https://github.com/plone/plone.restapi/security/advisories/GHSA-hc5c-r8m5-2gfh) also CVE-2023-42458 

## Information disclosure and sandbox escape
Earlier this month, new Zope releases were made, which included security releases of `AccessControl` and `RestrictedPython` . See the [community announcement](https://community.plone.org/t/zope-4-8-9-and-5-8-4-released-with-a-security-fix/17849). 

## Fixed Plone versions
All needed packages are included in Plone 5.2.14 and 6.0.7 which have just been released. 

## Package versions
If you cannot or do not want to upgrade your entire Plone version, you can upgrade individual package versions. 

Fixes are available in these versions:

```
AccessControl = 4.4, 5.8, 6.2
RestrictedPython = 5.4, 6.2
plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1
plone.rest = 2.0.1, 3.0.1
plone.restapi = 8.43.4
Zope = 4.8.10, 5.8.5
```
If you are using Buildout, then for the `Zope`, `AccessControl` and `RestrictedPython` versions it is best to update the `[buildout] extends` lines to include the following.
For Plone 5.2: https://zopefoundation.github.io/Zope/releases/4.8.10/versions.cfg
For Plone 6: https://zopefoundation.github.io/Zope/releases/5.8.5/versions.cfg 

So which versions of these packages should you use on which Plone version?
To avoid surprises, you should use the version that is closest to the version you are already using. If you use the default versions, the following should help. This uses the Buildout notation. If you use a pip constraints file, you should use a double equals sign. 

### Plone 5.2

```
AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10
```
If you run Plone 5.2 on Python 3, and you are already using `plone.restapi` 8, then you can additionally use: 

```
plone.restapi = 8.43.4
```

### Plone 6.0.0/6.0.1

```
AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 2.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.2

```
AccessControl = 5.8
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.3/6.0.4

```
AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```

### Plone 6.0.5/6.0.6

```
AccessControl = 6.2
plone.namedfile = 6.1.3
plone.rest = 3.0.1
plone.restapi = 8.43.4
RestrictedPython = 6.2
Zope = 5.8.5
```
If you are having problems with the installation, or see regressions, please make a post in this thread, and anyone can help you.
If you see further security problems, please [mail the Plone/Zope Security Team](mailto:security () plone org). 


--
Maurits van Rees https://maurits.vanrees.org/
Plone/Zope Security Team
Previous By Date Next
Previous By Thread Next

Current thread: