SB2011030801 - Input validation error in Zope

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2006-4684)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458.

Remediation

Install update from vendor's website.

References

• http://mail.zope.org/pipermail/zope-announce/2006-August/002005.html
• http://secunia.com/advisories/21947
• http://secunia.com/advisories/21953
• http://www.debian.org/security/2006/dsa-1176
• http://www.securityfocus.com/bid/20022
• http://www.vupen.com/english/advisories/2006/3653
• http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt