Plone security advisory 2023/09/21

Various vulnerabilities in Plone and Zope have been reported and fixed. They affect all supported Plone versions: 5.2 and 6.0. Older Plone versions are likely also affected.

There will be no hotfix package for these: you should update the version pins of individual packages. See this post about why we do less hotfix packages.

Denial of service

In plone.rest when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.

Security advisory: CVE-2023-42457.

Stored XSS

There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. And it exists for user portraits, both in Volto and ClassicUI.

Technically, ClassicUI is not vulnerable for the user portrait part, because you cannot upload an SVG as user portrait. But in Volto you can, so you may be able to access a vulnerable url in the backend anyway.

Note that a page that uses an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload a malicious SVG image, and then trick a user into following a specially crafted link.

Fixes are needed in three packages. We link to the security advisories:

Information disclosure and sandbox escape

Earlier this month, new Zope releases were made, which included security releases of AccessControl and RestrictedPython . See the community announcement.

Fixed Plone versions

All needed packages will be included in upcoming Plone 5.2.14 and 6.0.7. These will be announced shortly.

Package versions

If you cannot or do not want to upgrade your entire Plone version, you can upgrade individual package versions.

Fixes are available in these versions:

AccessControl = 4.4, 6.2
RestrictedPython = 5.4, 6.2
plone.namedfile = 5.6.1, 6.0.3, 6.1.3, 6.2.1
plone.rest = 2.0.1, 3.0.1
plone.restapi = 8.43.3
Zope = 4.8.10, 5.8.5

If you are using Buildout, then for the Zope, AccessControl and RestrictedPython versions it is best to update the [buildout] extends lines to include the following.

For Plone 5.2: https://zopefoundation.github.io/Zope/releases/4.8.10/versions.cfg

For Plone 6: https://zopefoundation.github.io/Zope/releases/5.8.5/versions.cfg

So which versions of these packages should you use on which Plone version?

To avoid surprises, you should use the version that is closest to the version you are already using. If you use the default versions, the following should help. This uses the Buildout notation. If you use a pip constraints file, you should use a double equals sign.

Plone 5.2

AccessControl = 4.4
plone.namedfile = 5.6.1
RestrictedPython = 5.4
Zope = 4.8.10

If you run Plone 5.2 on Python 3, and you are already using plone.restapi 8, then you can additionally use:

plone.restapi = 8.43.3

Plone 6.0.0/6.0.1

AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 2.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5

Plone 6.0.2 - 6.0.4

AccessControl = 6.2
plone.namedfile = 6.0.3
plone.rest = 3.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5

Plone 6.0.5/6.0.6

AccessControl = 6.2
plone.namedfile = 6.1.3
plone.rest = 3.0.1
plone.restapi = 8.43.3
RestrictedPython = 6.2
Zope = 5.8.5

If you are having problems with the installation, or see regressions, please make a post in this thread, and anyone can help you.

If you see further security problems, please mail the Plone/Zope Security Team.

5 Likes

Plone 5.2.14 and 6.0.7 are available on dist.plone.org:
https://dist.plone.org/release/5.2.14/
https://dist.plone.org/release/6.0.7/

Docker images (and universal installer for 5.2) will come soon. Announcements to follow in different posts.

2 Likes

Thank you Maurits for working on this. You rock!!!

The version 8.43.4 of plone.restapi does not exists: https://pypi.org/project/plone.restapi/8.43.4

1 Like

Ouch, sorry about that, that should be plone.restapi = 8.43.3.
I know I had that error initially, and fixed it, but apparently I only did that on the plone.org announcement. Except that I missed one there as well, which I fixed just now...

I have edited my original post here to be correct.
Thanks!

@mauritsvanrees Thanks for the fix but AccessControl = 5.8 does not exist too which is also in the announcement for Plone.org.

Seriously? Ouch again!
I took the versions from the AccessControl security announcement and it said it was fixed in 5.8. The discussion below the announcement (not visible to most users) shows that a release was initially planned, but this version was deemed not used, so it was skipped. For Plone this is indeed true: on 5.2 you should use AccessControl 4, and on each Plone 6 version you can use AccessControl 6: the only breaking change is that Python versions are dropped that we do not need.

I have updated the versions above, on plone.org, and in the AccessControl announcement.

Thanks @pbauer !