CVE-2013-4191: Plone is vulnerable to Information Exposure when generating zip archives

May 17, 2022 (updated October 15, 2024)

zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.

References

bugzilla.redhat.com/show_bug.cgi?id=978453
github.com/advisories/GHSA-grwx-4p5v-9g2g
github.com/plone/Plone
github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-55.yaml
nvd.nist.gov/vuln/detail/CVE-2013-4191

Detect and mitigate CVE-2013-4191 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →