Sandbox escape

by Nathan Van Gheem published 2017/01/17 15:01:00 GMT+0, last modified 2017-01-21T20:19:19+00:00
Sandbox escape

Versions affected

  • 5.1a2
  • 5.1a1
  • 5.0.6
  • 5.0.5
  • 5.0.4
  • 5.0.3
  • 5.0.2
  • 5.0.1
  • 5.0
  • 5.0rc3
  • 5.0rc2
  • 5.0rc1
  • 4.3.11
  • 4.3.10
  • 4.3.9
  • 4.3.8
  • 4.3.7
  • 4.3.6
  • 4.3.5
  • 4.3.4
  • 4.3.3
  • 4.3.2
  • 4.3.1
  • 4.3
  • 4.2.7
  • 4.2.6
  • 4.2.5
  • 4.2.4
  • 4.2.3
  • 4.2.2
  • 4.2.1
  • 4.2
  • 4.1.6
  • 4.1.5
  • 4.1.4
  • 4.1.3
  • 4.1.2
  • 4.1.1
  • 4.1
  • 4.0.10
  • 4.0.9
  • 4.0.8
  • 4.0.7
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0

Vulnerability

Accessing private content via `str.format` in through-the-web templates and scripts. See this blog post by Armin Ronacher (http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) for the general idea. Since the `format` method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5, not Plone 3.

Current status

Patched

Credits

Discovered by

  • Armin Ronacher and Plone Security Team

Fixed by

  • Plone Security Team

Coordinated by

  • Plone Security Team