Miggo Logo
Miggo Vulnerability Database
CVE-2013-4191

CVE-2013-4191: Plone is vulnerable to Information Exposure when generating zip archives

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-4191
GHSA ID
GHSA-grwx-4p5v-9g2g
EPSS Score
0.53619%
CWE
CWE-200
Published
5/17/2022
Updated
10/15/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 2.1, <= 4.14.1.1
plonepip>= 4.2, < 4.2.64.2.6
plonepip>= 4.3, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references zip.py as the source of improper access control enforcement. While the exact function name isn't specified in available documentation, Plone's zip generation logic in affected versions resides in Products/CMFPlone/utils.py (commonly imported as 'zip'). The core failure occurs in the archive generation workflow where content inclusion lacked proper permission validation. Multiple independent sources (CVE description, Red Hat bugzilla, Plone security advisory) all confirm the vulnerability stems from zip archive generation logic without adequate access checks, strongly indicating the primary zip generation function is responsible.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

zip.py in Plon* *.* t*rou** *.*, *.*.x t*rou** *.*.*, *n* *.*.x t*rou** *.*.* *o*s not prop*rly *n*or** ****ss r*stri*tions w**n in*lu*in* *ont*nt in * zip *r**iv*, w*i** *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion *y r***in* * **n*r*t**

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s `zip.py` *s t** sour** o* improp*r ****ss *ontrol *n*or**m*nt. W*il* t** *x**t *un*tion n*m* isn't sp**i*i** in *v*il**l* *o*um*nt*tion, Plon*'s zip **n*r*tion lo*i* in *****t** v*rsions r*si**s in `Pro*u*ts/*M