Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ4dnYtMnBtcS05ZnZ2

High CVSS: 8.7 EPSS: 0.00403% (0.59688 Percentile) EPSS:
Permalink JSON

Plone and Zope2 do not reseed pseudo-random number generator

Affected Packages Affected Versions Fixed Versions
pypi:Plone
PURL: pkg:pypi/plone
>= 3.2.2, < 4.2.3 4.2.3
5 Dependent packages
7 Dependent repositories
22,831 Downloads last month

Affected Version Ranges

All affected versions

3.2.2, 3.2.3, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.1, 4.2.2

All unaffected versions

3.2.1, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.3.12, 4.3.13, 4.3.14, 4.3.15, 4.3.16, 4.3.17, 4.3.18, 4.3.19, 4.3.20, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 6.0.0, 6.0.0a1, 6.0.0a2, 6.0.0a3, 6.0.0a4, 6.0.0a5, 6.0.0a6, 6.0.0b1, 6.0.0b2, 6.0.0b3, 6.0.0rc1, 6.0.0rc2, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.15rc1, 6.0.15rc2, 6.1.0, 6.1.0a1, 6.1.0a2, 6.1.0a3, 6.1.0a4, 6.1.0a5, 6.1.0b1, 6.1.0b2, 6.1.0rc1, 6.1.1, 6.1.1rc1, 6.1.1rc2, 6.1.2, 6.1.3
pypi:Zope2
PURL: pkg:pypi/zope2
< 2.13.19 2.13.19
9 Dependent packages
4 Dependent repositories
18,896 Downloads last month

Affected Version Ranges

All affected versions

2.12.0, 2.12.0a2, 2.12.0a3, 2.12.0a4, 2.12.0b1, 2.12.0b2, 2.12.0b3, 2.12.0b4, 2.12.0c1, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.12.11, 2.12.12, 2.12.13, 2.12.14, 2.12.15, 2.12.16, 2.12.17, 2.12.18, 2.12.19, 2.12.20, 2.12.21, 2.12.22, 2.12.23, 2.12.24, 2.12.25, 2.12.26, 2.12.27, 2.12.28, 2.13.0, 2.13.0a1, 2.13.0a2, 2.13.0a3, 2.13.0a4, 2.13.0b1, 2.13.0c1, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.13.10, 2.13.11, 2.13.12, 2.13.13, 2.13.14, 2.13.15, 2.13.16, 2.13.17, 2.13.18

All unaffected versions

2.13.19, 2.13.20, 2.13.21, 2.13.22, 2.13.23, 2.13.24, 2.13.25, 2.13.26, 2.13.27, 2.13.28, 2.13.29, 2.13.30

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

References:

Identifiers

GHSA-48vv-2pmq-9fvv

CVE-2012-6661

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00403

EPSS Percentile: 0.59688

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/plone/Products.CMFPlone

Date and time

Published

over 7 years ago

Updated

about 1 year ago

API

JSON