Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 744804 - (CVE-2011-4030) CVE-2011-4030 plone: Sub-objects access via unspecified vectors
CVE-2011-4030 plone: Sub-objects access via unspecified vectors
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20111004,reported=2...
: Security
Depends On:
Blocks: 744806
  Show dependency treegraph
 
Reported: 2011-10-10 10:23 EDT by Jan Lieskovsky
Modified: 2015-08-22 03:04 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 03:04:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2011-10-10 10:23:46 EDT 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4030 to
the following vulnerability:

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and
4.2 through 4.2a2 does not prevent the KwAsAttributes classes from
being publishable, which allows remote attackers to access sub-objects
via unspecified vectors, a different vulnerability than CVE-2011-3587.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4030
[2] http://plone.org/products/plone-hotfix/releases/20110928
[3] http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip
[4] http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0
Comment 1 Jan Lieskovsky 2011-10-10 10:25:49 EDT 
This issue did NOT affect the versions of the conga package, as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the version of the plone package, as present within EPEL-5 repository.
Comment 2 Jan Lieskovsky 2011-10-10 10:28:58 EDT 
From particular Pypi record:
http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0

This hotfix fixes the following vulnerabilities:

   * A vulnerability in CMFEditions where KwAsAttributes classes were publishable, exposing sub-objects to anonymous access. This vulnerability is found in CMFEditions 2.0a1 and up. CMFEditions 1.x and before are not vulnerable.

--

The version of CMFEditions in plone package from EPEL-5 repository is
(Plone-3.1.6]# Products/CMFEditions/CHANGES.txt):

CMFEditions 1.1.7 (June 2, 2008)
Comment 3 Jan Lieskovsky 2012-01-05 11:17:46 EST 
Upstream CMFEditions patch:
[5] https://github.com/plone/Products.CMFEditions/commit/d55add52e5900967c8cc78becc6790048f02015b

(also part of Plone PloneHotfix20110928/1.0)
Comment 4 Jan Lieskovsky 2012-01-05 11:36:00 EST 
Statement:

Not vulnerable. This issue did not affect the versions of conga as shipped with Red Hat Cluster Suite for Red Hat Enterprise Linux 4 and as shipped with Red Hat Enterprise Linux 5 as they did not include support for CMFEditions.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.