Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Jan 2017 11:33:57 -0500
From: <>
To: <>
CC: <>, <>
Subject: Re: CVE Request: Plone Sandbox escape vulnerability

Hash: SHA256

> [] Accessing private content via `str.format` in through-the-web templates
> and scripts. See this blog post by Armin Ronacher (
> for the
> general idea. Since the `format` method was introduced in Python 2.6, this
> part of the hotfix is only relevant for Plone 4 and 5, not Plone 3.
>     Credit: Plone security team, Armin Ronacher
>     Reference:
> Versions Affected:
> 4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version
> Code fixes:

Use CVE-2017-5524.

The scope of this CVE does not include the "reflected Cross Site
Scripting attack (XSS) in the ZMI (manage_findResult)" mentioned on
the PloneHotfix20170117 page. If that still needs a CVE ID, please let
us know.

In the post,
the exploitation scenarios are:

>     untrusted translators on string files. This is a big one because
>     many applications that are translated into multiple languages will
>     use new-style Python string formatting and not everybody will vet
>     all the strings that come in.

We do not feel that a CVE would have been needed if this were the only
exploitation scenario. We do not think there is a security boundary
between "people who can contribute arbitrary code to a product" and
"people who can contribute code that expresses translations." However,
it is possible that an open-source project exists somewhere with a
completely untrusted channel for translators.

>     user exposed configuration. One some systems users might be
>     permitted to configure some behavior and that might be exposed as
>     format strings. In particular I have seen it where users can
>     configure notification mails, log message formats or other basic
>     templates in web applications.

This one seems completely valid, and might be the primary exploitation
scenario for CVE-2017-5524.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.