Plone Arbitrary Code Execution via Unsafe Handling of Pickles
High severity
GitHub Reviewed
Published
May 1, 2022
to the GitHub Advisory Database
•
Updated Sep 22, 2023
Package
Affected versions
>= 2.5, <= 2.5.4
>= 3.0, <= 3.0.2
Patched versions
2.5.5
3.0.3
Description
Published by the National Vulnerability Database
Nov 7, 2007
Published to the GitHub Advisory Database
May 1, 2022
Reviewed
Sep 22, 2023
Last updated
Sep 22, 2023
Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.
References