CVE-2012-5507
HIGH7.5EPSS 0.28%Plone and Zope2 affected by Race Condition
Published: 7/23/2018Modified: 10/21/2024
Description
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
Affected packages (4)
- PyPI/plone>= 3.2.2, < 4.2.3
- PyPI/plonefrom 0, < 4.2.3, >= 4.3a0, < 4.3b1
- PyPI/zope2from 0, < 2.13.19
- PyPI/zope2from 0, < 2.13.19
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-3qpr-7rmg-73v8
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-5507
- WEBhttps://bugs.launchpad.net/zope2/+bug/1071067
- WEBhttps://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-49.yaml
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-75.yaml
- WEBhttps://plone.org/products/plone-hotfix/releases/20121106
- WEBhttps://plone.org/products/plone/security/advisories/20121106/23
- WEBhttp://www.openwall.com/lists/oss-security/2012/11/10/1