CVE-2011-4030

The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://plone.org/products/plone-hotfix/releases/20110928	Patch
http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip	Patch
http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0	Patch
http://secunia.com/advisories/46323
http://www.securityfocus.com/bid/50287

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:plone:cmfeditions:2.0a1:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b1:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b2:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b3:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b4:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b5:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b6:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b7:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b8:::::::*
	cpe:2.3:a:plone:cmfeditions:2.0b9:::::::*
	cpe:2.3:a:plone:plone:4.0:::::::*
	cpe:2.3:a:plone:plone:4.0.1:::::::*
	cpe:2.3:a:plone:plone:4.0.2:::::::*
	cpe:2.3:a:plone:plone:4.0.3:::::::*
	cpe:2.3:a:plone:plone:4.0.4:::::::*
	cpe:2.3:a:plone:plone:4.0.5:::::::*
	cpe:2.3:a:plone:plone:4.0.6.1:::::::*
	cpe:2.3:a:plone:plone:4.0.7:::::::*
	cpe:2.3:a:plone:plone:4.0.8:::::::*
	cpe:2.3:a:plone:plone:4.0.9:::::::*
	cpe:2.3:a:plone:plone:4.1:::::::*
	cpe:2.3:a:plone:plone:4.2:::::::*
	cpe:2.3:a:plone:plone:4.2a1:::::::*
	cpe:2.3:a:plone:plone:4.2a2:::::::*

History

No history.

Information

Published : 2011-10-10 10:55

Updated : 2011-10-30 03:39

NVD link : CVE-2011-4030

Mitre link : CVE-2011-4030

CVE.ORG link : CVE-2011-4030

JSON object : View

Products Affected

plone

plone
cmfeditions

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2011-4030", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2011-10-10T10:55:06.957", "references": [{"url": "http://plone.org/products/plone-hotfix/releases/20110928", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://plone.org/products/plone-hotfix/releases/20110928/PloneHotfix20110928-1.0.zip", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://pypi.python.org/pypi/Products.PloneHotfix20110928/1.0", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/46323", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/50287", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The CMFEditions component 2.x in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2 does not prevent the KwAsAttributes classes from being publishable, which allows remote attackers to access sub-objects via unspecified vectors, a different vulnerability than CVE-2011-3587."}, {"lang": "es", "value": "El componente CMFEditions v2.x en Plone v4.0.x hasta v4.0.9, v4.1, y v4.2 hasta v4.2a2 no previene clases KwAsAttributes publicables, lo que permite a atacantes remotos acceder a sub-objetos a trav\u00e9s de vectores no especificados, una vulnerabilidad diferente que CVE-2011-3587."}], "lastModified": "2011-10-30T03:39:15.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plone:cmfeditions:2.0a1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E94E45E-ADAC-4CD6-B7E9-3F7C4C501BEE"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC31071B-BD99-490F-8B86-5441949AF65D"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07243926-511B-4464-96BA-B5FF2829FB2C"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBB08BCC-175E-4D97-B0E7-C5BA415DA45E"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAA5BDE2-D9A7-4088-B32A-C10DFC931792"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19166094-7736-4B98-A5E6-AD173ED4BC68"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00E46DF5-093B-4194-90DE-EC156D9E308D"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CF4166A-265D-4DB7-B629-C2C729EA8BAD"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6582FFEB-3F3A-4F4A-83A5-56DB5F66C1E1"}, {"criteria": "cpe:2.3:a:plone:cmfeditions:2.0b9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B05ADE03-C904-4923-8931-28B154A3D01A"}, {"criteria": "cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E08F4534-A588-463F-A745-39E559AB1CB8"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B64341BA-5722-415E-9771-9837168AB7C0"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2929227-AE19-428D-9AC3-D312A559039B"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B6DC866-0FEE-475B-855C-A69E004810CD"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "50BF3E8E-152C-4E89-BAA2-A952D10F4611"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49DB97A7-89DD-43C0-A490-84AA7069764B"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1F88BF6-9058-4CB8-A2D6-5653860CF489"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2AA3FA2-15C3-444A-8810-5EF3E0E84D58"}, {"criteria": "cpe:2.3:a:plone:plone:4.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72F3B15A-CD0F-4CC5-A76F-E62637B30E2E"}, {"criteria": "cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C44B53B-953B-4522-A5B4-11573850D2CD"}, {"criteria": "cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F1818BB-E23A-4136-898D-1D0C80C08728"}, {"criteria": "cpe:2.3:a:plone:plone:4.2a1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CA5A1E3-EC1E-482D-B074-1304FBF963F2"}, {"criteria": "cpe:2.3:a:plone:plone:4.2a2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DE6064F-67CC-4DA5-A4A8-D9E1F701B1A5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}