CVE-2012-5488: Improper Control of Generation of Code ('Code Injection')
(updated )
It was discovered that Plone, included as a part of luci, does not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.
References
- rhn.redhat.com/errata/RHSA-2014-1194.html
- www.openwall.com/lists/oss-security/2012/11/10/1
- access.redhat.com/errata/RHSA-2014:1194
- access.redhat.com/security/cve/CVE-2012-5488
- bugzilla.redhat.com/show_bug.cgi?id=878945
- github.com/advisories/GHSA-cxw7-85xm-3xrc
- github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
- nvd.nist.gov/vuln/detail/CVE-2012-5488
- plone.org/products/plone-hotfix/releases/20121106
- plone.org/products/plone/security/advisories/20121106/04
Detect and mitigate CVE-2012-5488 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →