{"url":"http://public2.vulnerablecode.io/api/packages/8489?format=json","purl":"pkg:pypi/zope2@2.12.2","type":"pypi","namespace":"","name":"zope2","version":"2.12.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.13.19","latest_non_vulnerable_version":"2.13.19","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34902?format=json","vulnerability_id":"VCID-2sk4-yc6h-17c4","summary":"The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 2.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.","references":[{"reference_url":"https://bugs.launchpad.net/zope2/+bug/1079238","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.launchpad.net/zope2/+bug/1079238"},{"reference_url":"https://github.com/advisories/GHSA-879r-7f3w-8jj3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-879r-7f3w-8jj3"},{"reference_url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-31.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-31.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-74.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-74.yaml"},{"reference_url":"https://plone.org/products/plone-hotfix/releases/20121106","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone-hotfix/releases/20121106"},{"reference_url":"https://plone.org/products/plone/security/advisories/20121106/05","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20121106/05"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5489","reference_id":"CVE-2012-5489","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5489"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8519?format=json","purl":"pkg:pypi/zope2@2.12.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g2ap-vh6r-yqds"},{"vulnerability":"VCID-khhr-m295-23gs"},{"vulnerability":"VCID-krfw-xa2b-vue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.12.21"},{"url":"http://public2.vulnerablecode.io/api/packages/8520?format=json","purl":"pkg:pypi/zope2@2.13.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-g2ap-vh6r-yqds"},{"vulnerability":"VCID-khhr-m295-23gs"},{"vulnerability":"VCID-krfw-xa2b-vue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.13.11"}],"aliases":["CVE-2012-5489","GHSA-879r-7f3w-8jj3","PYSEC-2014-31","PYSEC-2014-74"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2sk4-yc6h-17c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34910?format=json","vulnerability_id":"VCID-g2ap-vh6r-yqds","summary":"AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.","references":[{"reference_url":"https://bugs.launchpad.net/zope2/+bug/1071067","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.launchpad.net/zope2/+bug/1071067"},{"reference_url":"https://github.com/advisories/GHSA-3qpr-7rmg-73v8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3qpr-7rmg-73v8"},{"reference_url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-49.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-49.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-75.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-75.yaml"},{"reference_url":"https://plone.org/products/plone-hotfix/releases/20121106","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone-hotfix/releases/20121106"},{"reference_url":"https://plone.org/products/plone/security/advisories/20121106/23","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20121106/23"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5507","reference_id":"CVE-2012-5507","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5507"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8541?format=json","purl":"pkg:pypi/zope2@2.13.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.13.19"}],"aliases":["CVE-2012-5507","GHSA-3qpr-7rmg-73v8","PYSEC-2014-49","PYSEC-2014-75"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g2ap-vh6r-yqds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34935?format=json","vulnerability_id":"VCID-khhr-m295-23gs","summary":"Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors.  NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).","references":[{"reference_url":"https://bugs.launchpad.net/zope2/+bug/1071067","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.launchpad.net/zope2/+bug/1071067"},{"reference_url":"https://github.com/advisories/GHSA-48vv-2pmq-9fvv","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-48vv-2pmq-9fvv"},{"reference_url":"https://github.com/plone/Products.CMFPlone","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Products.CMFPlone"},{"reference_url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-51.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-51.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-76.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-76.yaml"},{"reference_url":"https://plone.org/products/plone-hotfix/releases/20121124","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone-hotfix/releases/20121124"},{"reference_url":"https://plone.org/products/plone/security/advisories/20121106/24","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20121106/24"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6661","reference_id":"CVE-2012-6661","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6661"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8541?format=json","purl":"pkg:pypi/zope2@2.13.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.13.19"}],"aliases":["CVE-2012-6661","GHSA-48vv-2pmq-9fvv","PYSEC-2014-51","PYSEC-2014-76"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-khhr-m295-23gs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34913?format=json","vulnerability_id":"VCID-krfw-xa2b-vue5","summary":"ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-1194.html","reference_id":"","reference_type":"","scores":[],"url":"http://rhn.redhat.com/errata/RHSA-2014-1194.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:1194","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:1194"},{"reference_url":"https://bugs.launchpad.net/zope2/+bug/930812","reference_id":"","reference_type":"","scores":[],"url":"https://bugs.launchpad.net/zope2/+bug/930812"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=878939","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=878939"},{"reference_url":"https://github.com/advisories/GHSA-77hv-8796-8ccp","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-77hv-8796-8ccp"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-28.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-28.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-73.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-73.yaml"},{"reference_url":"https://plone.org/products/plone-hotfix/releases/20121106","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone-hotfix/releases/20121106"},{"reference_url":"https://plone.org/products/plone/security/advisories/20121106/02","reference_id":"","reference_type":"","scores":[],"url":"https://plone.org/products/plone/security/advisories/20121106/02"},{"reference_url":"http://www.openwall.com/lists/oss-security/2012/11/10/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2012/11/10/1"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2012-5486","reference_id":"CVE-2012-5486","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2012-5486"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5486","reference_id":"CVE-2012-5486","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5486"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/8541?format=json","purl":"pkg:pypi/zope2@2.13.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.13.19"}],"aliases":["CVE-2012-5486","GHSA-77hv-8796-8ccp","PYSEC-2014-28","PYSEC-2014-73"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-krfw-xa2b-vue5"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/zope2@2.12.2"}