Date: Wed, 18 Jan 2017 11:33:57 -0500 From: <cve-assign@...re.org> To: <nathan.van.gheem@...ne.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: CVE Request: Plone Sandbox escape vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >  Accessing private content via `str.format` in through-the-web templates > and scripts. See this blog post by Armin Ronacher ( > http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) for the > general idea. Since the `format` method was introduced in Python 2.6, this > part of the hotfix is only relevant for Plone 4 and 5, not Plone 3. > Credit: Plone security team, Armin Ronacher > Reference: https://plone.org/security/hotfix/20170117/sandbox-escape > > Versions Affected: > 4.3.11 and any earlier 4.x version, 5.0.6 and any earlier 5.x version > > Code fixes: > https://pypi.python.org/pypi/Products.PloneHotfix20170117 Use CVE-2017-5524. The scope of this CVE does not include the "reflected Cross Site Scripting attack (XSS) in the ZMI (manage_findResult)" mentioned on the PloneHotfix20170117 page. If that still needs a CVE ID, please let us know. In the http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ post, the exploitation scenarios are: > untrusted translators on string files. This is a big one because > many applications that are translated into multiple languages will > use new-style Python string formatting and not everybody will vet > all the strings that come in. We do not feel that a CVE would have been needed if this were the only exploitation scenario. We do not think there is a security boundary between "people who can contribute arbitrary code to a product" and "people who can contribute code that expresses translations." However, it is possible that an open-source project exists somewhere with a completely untrusted channel for translators. > user exposed configuration. One some systems users might be > permitted to configure some behavior and that might be exposed as > format strings. In particular I have seen it where users can > configure notification mails, log message formats or other basic > templates in web applications. This one seems completely valid, and might be the primary exploitation scenario for CVE-2017-5524. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYf5iGAAoJEHb/MwWLVhi27kcQAJHT6gBPBNBX+bevBoRdfS2h NtBgjZrd1s2KVCPnCdZGfnayAFz4nhtaSPul1riqH4on/krV9QkxZmRXxV/8R8ic IfmTWjg4DRuzYYwSGKKhrlNQa4OVWFVT/us4Rv4XDJwPTOXpf5qKFGjisp7udw8i SmFFTEYUV6r26ons2Q5u5RQenmiml3gdiS48XTQ5RFVXRNRKpCeswM1E+kG+S6bV G4Bx8QYUcRvCrRV2W1gEEjxBiI65FyOBQTX3jDg/N7DSn9v4dX4gZaSrbUaHIqLB YAzuTD4liH/G3ABAUQf3C2uiGEYbDUjGb4v5DFptcGr+xHMx3gtak3sJS+BS2mXq nrClrpO9BBoYFgQxV6QRTAEpuDoiAfcv6lB/Uj4/90Ub+hrqf94uqyS6XlGzyaxq r8kWPiVuUf8YbUVfT5H5YSeRZVH1gMK16Mci/4EWw3Al25CuK+HwrIZT/oA7ljez BL+zGzDGMPoIsHmge+PIS9yEbRvZ05Bim8p4yCE/0nFpWhipALEhNshADgVpkLME 338NhrrW1fyNQoOCggacrcHp51hqpaAVRzJ5yM8DTmMz+SmAGhq2vemqFageQkyr B+P3VsnBCEFofULAXPgYYN1+Ub4tkWaO3enYCZ2YJIFe/Zj6ysKLnEW42l2edRNz T2eqS7U/9gxzMdHRkqIn =97Au -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.