CVE-2007-5741: Unsafe data interpreted as pickles

by Wichert Akkerman last modified Nov 17, 2007 09:33 AM
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.

This issue has been assigned CVE-2007-5741.

Affected versions

  • Plone 2.5 up to and including 2.5.4
  • Plone 3.0 up to and including 3.0.2

These fixes will be included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed.

Installing the hotfix

If an updated Plone is not released by the time you read this, or you can not upgrade your Plone, you can install Plone Hotfix 2007-11-06. The hotfix can be installed as a normal Zope product:

  • Extract it in the Products directory of your Zope instance
  • Restart Zope
  • Verify that the hotfix is listed in the product management page in the Zope Control Panel

Reported incidents

No incidents of this happening to sites in the wild have been reported.