HIGH

GHSA-8w48-m6hx-rjw2

Zope Command Execution Vulnerability

Details

Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the `p_` class in `OFS/misc_.py` and the use of Python modules.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope2

Introduced in: 2.12.0 Fixed in: 2.12.20

Fix pip install --upgrade 'zope2>=2.12.20'

PyPI / zope2

Introduced in: 2.13.0 Fixed in: 2.13.10

Fix pip install --upgrade 'zope2>=2.13.10'

References

https://nvd.nist.gov/vuln/detail/CVE-2011-3587 [ADVISORY]
https://github.com/zopefoundation/Zope/commit/491a583d8c6622b80c75917e5017c4bb4b15e477 [WEB]
https://github.com/zopefoundation/Zope/commit/6bb2fb3c04a76b00bec9bd7c069733e06fa6ebe9 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=742297 [WEB]
https://github.com/pypa/advisory-database/tree/main/vulns/products-plonehotfix20110928/PYSEC-2011-26.yaml [WEB]
https://github.com/zopefoundation/Zope [PACKAGE]
https://web.archive.org/web/20111013043934/http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587 [WEB]
http://plone.org/products/plone-hotfix/releases/20110928 [WEB]
http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip [WEB]
http://plone.org/products/plone/security/advisories/20110928 [WEB]
http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0 [WEB]
http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587 [WEB]