—

PYSEC-2014-49

Details

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 0 Fixed in: 4.2.3

Fix pip install --upgrade 'plone>=4.2.3'

References

http://www.openwall.com/lists/oss-security/2012/11/10/1 [WEB]
https://plone.org/products/plone/security/advisories/20121106/23 [ADVISORY]
https://bugs.launchpad.net/zope2/+bug/1071067 [WEB]
https://plone.org/products/plone-hotfix/releases/20121106 [WEB]
https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt [WEB]
https://github.com/advisories/GHSA-3qpr-7rmg-73v8 [ADVISORY]