Bug 744804 (CVE-2011-4030)

Summary: CVE-2011-4030 plone: Sub-objects access via unspecified vectors
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jonathansteffan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 07:04:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 744806    

Description Jan Lieskovsky 2011-10-10 14:23:46 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4030 to
the following vulnerability:

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and
4.2 through 4.2a2 does not prevent the KwAsAttributes classes from
being publishable, which allows remote attackers to access sub-objects
via unspecified vectors, a different vulnerability than CVE-2011-3587.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4030
[2] http://plone.org/products/plone-hotfix/releases/20110928
[3] http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip
[4] http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0
Comment 1 Jan Lieskovsky 2011-10-10 14:25:49 UTC 
This issue did NOT affect the versions of the conga package, as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the version of the plone package, as present within EPEL-5 repository.
Comment 2 Jan Lieskovsky 2011-10-10 14:28:58 UTC 
From particular Pypi record:
http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0

This hotfix fixes the following vulnerabilities:

   * A vulnerability in CMFEditions where KwAsAttributes classes were publishable, exposing sub-objects to anonymous access. This vulnerability is found in CMFEditions 2.0a1 and up. CMFEditions 1.x and before are not vulnerable.

--

The version of CMFEditions in plone package from EPEL-5 repository is
(Plone-3.1.6]# Products/CMFEditions/CHANGES.txt):

CMFEditions 1.1.7 (June 2, 2008)
Comment 3 Jan Lieskovsky 2012-01-05 16:17:46 UTC 
Upstream CMFEditions patch:
[5] https://github.com/plone/Products.CMFEditions/commit/d55add52e5900967c8cc78becc6790048f02015b

(also part of Plone PloneHotfix20110928/1.0)
Comment 4 Jan Lieskovsky 2012-01-05 16:36:00 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of conga as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5 as they did not include support for CMFEditions.