Bug 2048662 (CVE-2022-23599) - CVE-2022-23599 Plone: Cache poisoning in image_view_fullscreen
Summary: CVE-2022-23599 Plone: Cache poisoning in image_view_fullscreen
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2022-23599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2048663
TreeView+ depends on / blocked
 
Reported: 2022-01-31 17:02 UTC by Pedro Sampaio
Modified: 2022-02-01 10:34 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-02-01 10:34:44 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-01-31 17:02:02 UTC 
Products.ATContentTypes are the core content types for Plone 2.1 - 4.3. Versions of Plone that are dependent on Products.ATContentTypes prior to version 3.0.6 are vulnerable to reflected cross site scripting and open redirect when an attacker can get a compromised version of the image_view_fullscreen page in a cache, for example in Varnish. The technique is known as cache poisoning. Any later visitor can get redirected when clicking on a link on this page. Usually only anonymous users are affected, but this depends on the user's cache settings. Version 3.0.6 of Products.ATContentTypes has been released with a fix. This version works on Plone 5.2, Python 2 only. As a workaround, make sure the image_view_fullscreen page is not stored in the cache. More information about the vulnerability and cvmitigation measures is available in the GitHub Security Advisory.

References:

https://github.com/plone/Products.ATContentTypes/commit/fc793f88f35a15a68b52e4abed77af0da5fdbab8
https://github.com/plone/Products.ATContentTypes/security/advisories/GHSA-g4c2-ghfg-g5rh
Note You need to log in before you can comment on or make changes to this bug.