CVE-2012-5507
medium
CVSS v3
—
CVSS v2
4.3
VIR risk
4.3
Description
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://plone.org/products/plone/security/advisories/20121106/23
Vendor advisory: secalert@redhat.com — https://plone.org/products/plone-hotfix/releases/20121106
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| zope | zope | 2.5.1 | |
| zope | zope | 2.6.1 | |
| zope | zope | 2.6.4 | |
| zope | zope | 2.7.0 | |
| zope | zope | 2.7.3 | |
| zope | zope | 2.7.4 | |
| zope | zope | 2.7.5 | |
| zope | zope | 2.7.6 | |
| zope | zope | 2.7.7 | |
| zope | zope | 2.7.8 | |
| zope | zope | 2.8.1 | |
| zope | zope | 2.8.4 | |
| zope | zope | 2.8.6 | |
| zope | zope | 2.8.8 | |
| zope | zope | 2.9.2 | |
| zope | zope | 2.9.3 | |
| zope | zope | 2.9.4 | |
| zope | zope | 2.9.5 | |
| zope | zope | 2.9.6 | |
| zope | zope | 2.9.7 | |
| zope | zope | 2.10.3 | |
| zope | zope | 2.10.8 | |
| zope | zope | 2.11.0 | |
| zope | zope | 2.11.1 | |
| zope | zope | 2.11.2 | |
| zope | zope | 2.11.3 | |
| zope | zope | 2.13.18 | |
| plone | plone | {"endIncluding":"4.2.2"} | |
| plone | plone | 1.0 | |
| plone | plone | 1.0.1 | |
| plone | plone | 1.0.2 | |
| plone | plone | 1.0.3 | |
| plone | plone | 1.0.4 | |
| plone | plone | 1.0.5 | |
| plone | plone | 1.0.6 | |
| plone | plone | 2.0 | |
| plone | plone | 2.0.1 | |
| plone | plone | 2.0.2 | |
| plone | plone | 2.0.3 | |
| plone | plone | 2.0.4 | |
| plone | plone | 2.0.5 | |
| plone | plone | 2.1 | |
| plone | plone | 2.1.1 | |
| plone | plone | 2.1.2 | |
| plone | plone | 2.1.3 | |
| plone | plone | 2.1.4 | |
| plone | plone | 2.5 | |
| plone | plone | 2.5.1 | |
| plone | plone | 2.5.2 | |
| plone | plone | 2.5.3 | |
| plone | plone | 2.5.4 | |
| plone | plone | 2.5.5 | |
| plone | plone | 3.0 | |
| plone | plone | 3.0.1 | |
| plone | plone | 3.0.2 | |
| plone | plone | 3.0.3 | |
| plone | plone | 3.0.4 | |
| plone | plone | 3.0.5 | |
| plone | plone | 3.0.6 | |
| plone | plone | 3.1 | |
| plone | plone | 3.1.1 | |
| plone | plone | 3.1.2 | |
| plone | plone | 3.1.3 | |
| plone | plone | 3.1.4 | |
| plone | plone | 3.1.5.1 | |
| plone | plone | 3.1.6 | |
| plone | plone | 3.1.7 | |
| plone | plone | 3.2 | |
| plone | plone | 3.2.1 | |
| plone | plone | 3.2.2 | |
| plone | plone | 3.2.3 | |
| plone | plone | 3.3 | |
| plone | plone | 3.3.1 | |
| plone | plone | 3.3.2 | |
| plone | plone | 3.3.3 | |
| plone | plone | 3.3.4 | |
| plone | plone | 3.3.5 | |
| plone | plone | 4.0 | |
| plone | plone | 4.0.1 | |
| plone | plone | 4.0.2 | |
| plone | plone | 4.0.3 | |
| plone | plone | 4.0.4 | |
| plone | plone | 4.0.5 | |
| plone | plone | 4.0.6.1 | |
| plone | plone | 4.1 | |
| plone | plone | 4.1.4 | |
| plone | plone | 4.1.5 | |
| plone | plone | 4.1.6 | |
| plone | plone | 4.2 | |
| plone | plone | 4.2.0.1 | |
| plone | plone | 4.2.1 | |
| plone | plone | 4.2.1.1 | |
| plone | plone | 4.3 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-5507
- https://bugs.launchpad.net/zope2/+bug/1071067
- https://github.com/advisories/GHSA-3qpr-7rmg-73v8
- https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt
- https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-49.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-75.yaml
- https://plone.org/products/plone-hotfix/releases/20121106
- https://plone.org/products/plone/security/advisories/20121106/23
- http://www.openwall.com/lists/oss-security/2012/11/10/1
CWEs
CWE-362
Verify integrity in audit chain (admin only). AS-IS.