CVE-2012-5486
medium
CVSS v3
—
CVSS v2
6.4
VIR risk
6.4
Description
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://plone.org/products/plone/security/advisories/20121106/02
Vendor advisory: secalert@redhat.com — https://plone.org/products/plone-hotfix/releases/20121106
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| plone | plone | {"endIncluding":"4.2.2"} | |
| plone | plone | 1.0 | |
| plone | plone | 1.0.1 | |
| plone | plone | 1.0.2 | |
| plone | plone | 1.0.3 | |
| plone | plone | 1.0.4 | |
| plone | plone | 1.0.5 | |
| plone | plone | 1.0.6 | |
| plone | plone | 2.0 | |
| plone | plone | 2.0.1 | |
| plone | plone | 2.0.2 | |
| plone | plone | 2.0.3 | |
| plone | plone | 2.0.4 | |
| plone | plone | 2.0.5 | |
| plone | plone | 2.1 | |
| plone | plone | 2.1.1 | |
| plone | plone | 2.1.2 | |
| plone | plone | 2.1.3 | |
| plone | plone | 2.1.4 | |
| plone | plone | 2.5 | |
| plone | plone | 2.5.1 | |
| plone | plone | 2.5.2 | |
| plone | plone | 2.5.3 | |
| plone | plone | 2.5.4 | |
| plone | plone | 2.5.5 | |
| plone | plone | 3.0 | |
| plone | plone | 3.0.1 | |
| plone | plone | 3.0.2 | |
| plone | plone | 3.0.3 | |
| plone | plone | 3.0.4 | |
| plone | plone | 3.0.5 | |
| plone | plone | 3.0.6 | |
| plone | plone | 3.1 | |
| plone | plone | 3.1.1 | |
| plone | plone | 3.1.2 | |
| plone | plone | 3.1.3 | |
| plone | plone | 3.1.4 | |
| plone | plone | 3.1.5.1 | |
| plone | plone | 3.1.6 | |
| plone | plone | 3.1.7 | |
| plone | plone | 3.2 | |
| plone | plone | 3.2.1 | |
| plone | plone | 3.2.2 | |
| plone | plone | 3.2.3 | |
| plone | plone | 3.3 | |
| plone | plone | 3.3.1 | |
| plone | plone | 3.3.2 | |
| plone | plone | 3.3.3 | |
| plone | plone | 3.3.4 | |
| plone | plone | 3.3.5 | |
| plone | plone | 4.0 | |
| plone | plone | 4.0.1 | |
| plone | plone | 4.0.2 | |
| plone | plone | 4.0.3 | |
| plone | plone | 4.0.4 | |
| plone | plone | 4.0.5 | |
| plone | plone | 4.0.6.1 | |
| plone | plone | 4.1 | |
| plone | plone | 4.1.4 | |
| plone | plone | 4.1.5 | |
| plone | plone | 4.1.6 | |
| plone | plone | 4.2 | |
| plone | plone | 4.2.0.1 | |
| plone | plone | 4.2.1 | |
| plone | plone | 4.2.1.1 | |
| plone | plone | 4.3 | |
| zope | zope | 2.5.1 | |
| zope | zope | 2.6.1 | |
| zope | zope | 2.6.4 | |
| zope | zope | 2.7.0 | |
| zope | zope | 2.7.3 | |
| zope | zope | 2.7.4 | |
| zope | zope | 2.7.5 | |
| zope | zope | 2.7.6 | |
| zope | zope | 2.7.7 | |
| zope | zope | 2.7.8 | |
| zope | zope | 2.8.1 | |
| zope | zope | 2.8.4 | |
| zope | zope | 2.8.6 | |
| zope | zope | 2.8.8 | |
| zope | zope | 2.9.2 | |
| zope | zope | 2.9.3 | |
| zope | zope | 2.9.4 | |
| zope | zope | 2.9.5 | |
| zope | zope | 2.9.6 | |
| zope | zope | 2.9.7 | |
| zope | zope | 2.10.3 | |
| zope | zope | 2.10.8 | |
| zope | zope | 2.11.0 | |
| zope | zope | 2.11.1 | |
| zope | zope | 2.11.2 | |
| zope | zope | 2.11.3 | |
| zope | zope | 2.13.18 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-5486
- https://access.redhat.com/errata/RHSA-2014:1194
- https://access.redhat.com/security/cve/CVE-2012-5486
- https://bugs.launchpad.net/zope2/+bug/930812
- https://bugzilla.redhat.com/show_bug.cgi?id=878939
- https://github.com/advisories/GHSA-77hv-8796-8ccp
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-28.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-73.yaml
- https://plone.org/products/plone-hotfix/releases/20121106
- https://plone.org/products/plone/security/advisories/20121106/02
- http://rhn.redhat.com/errata/RHSA-2014-1194.html
- http://www.openwall.com/lists/oss-security/2012/11/10/1
Verify integrity in audit chain (admin only). AS-IS.