oss-sec mailing list archives
CVE Request: Plone Sandbox escape vulnerability
From: Nathan Van Gheem <nathan.van.gheem () plone org>
Date: Tue, 17 Jan 2017 09:06:10 -0600
Dear oss-security List, Please provide a CVE for the following issue: Sandbox escape Accessing private content via `str.format` in through-the-web templates and scripts. See this blog post by Armin Ronacher ( http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) for the general idea. Since the `format` method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5, not Plone 3. Credit: Plone security team, Armin Ronacher Reference: https://plone.org/security/hotfix/20170117/sandbox-escape Versions Affected: 4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version Code fixes: https://pypi.python.org/pypi/Products.PloneHotfix20170117 Recommended action: Install the https://pypi.python.org/pypi/Products.PloneHotfix20170117 package. Thank you, Nathan Van Gheem Plone Security Team
Current thread:
- CVE Request: Plone Sandbox escape vulnerability Nathan Van Gheem (Jan 17)
- Re: CVE Request: Plone Sandbox escape vulnerability cve-assign (Jan 18)