Vulnerability CVE-2008-5102 - CERT Civis.Net

Vulnerability Name:

CVE-2008-5102 (CCN-44660)

Assigned:

2008-08-12

Published:

2008-08-12

Updated:

2009-09-01

Summary:

PythonScripts in Zope 2 2.11.2 and earlier, as used in Conga and other products, allows remote authenticated users to cause a denial of service (resource consumption or application halt) via certain (1) raise or (2) import statements.
http://www.zope.org/Products/Zope/Hotfix-2008-08-12/README.txt

Affected Versions
* Zope 2.7.0 to Zope 2.11.2

---

http://openwall.com/lists/oss-security/2008/11/12/2

Affected Conga versions: - checked conga-0.9.1-8 (contains Zope2.7.5 RC2), conga-0.12.0-7.el5 (contains Zope-2.8.4),
- but older,newer Conga versions can be also vulnerable to this issue (based on Zope 2 version).

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

1.9 Low (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:P)
1.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: CONFIRM
Type: UNKNOWN
http://bugs.gentoo.org/show_bug.cgi?id=246411

Source: MITRE
Type: CNA
CVE-2008-5102

Source: MLIST
Type: UNKNOWN
[Zope] 20080812 Script (Python) insecure ?

Source: MLIST
Type: UNKNOWN
[oss-security] 20081112 CVE Request - Zope 2 - PythonScripts local DoS

Source: CCN
Type: OSVDB ID: 50487
PythonScripts for Zope Multiple Statements Remote DoS

Source: CCN
Type: BID-32267
Zope PythonScript Multiple Remote Denial Of Service Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2008-2418

Source: CCN
Type: Zope Security advisory 2008-08-12
Critical errors in Zope 2 PythonScripts

Source: CONFIRM
Type: Patch
http://www.zope.org/Products/Zope/Hotfix-2008-08-12/Hotfix_20080812-1.1.0.tar.gz

Source: CONFIRM
Type: Vendor Advisory
http://www.zope.org/Products/Zope/Hotfix-2008-08-12/README.txt

Source: CCN
Type: Launchpad Bug #257269
PythonScripts: raise SystemExit will shut down complete Zope instance

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/zope2/+bug/257269

Source: CCN
Type: Launchpad Bug #257276
PythonScripts attackable through encode()/decode() call

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/zope2/+bug/257276

Source: XF
Type: UNKNOWN
zope-pythonscripts-dos(44660)

Vulnerable Configuration:

Configuration 1:

cpe:/a:zope:zope:1.10.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:1.10.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.0a4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.0b4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.0b5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.0b6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.0b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.1.6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.0b4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.1b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.4b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.2.5b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0a2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.0b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.1b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.1b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.1b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.2b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.2b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.3.3b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.0a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.0b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.0b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.1b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.2b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.3:upgrade:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.3b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.4:upgrade:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.4.4b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.0a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.0a2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.1:upgrade:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.1b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.5.1b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.0a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.0b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.0b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.1:upgrade:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.1.b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.2.b6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.4:rc1:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.6.4:rc2:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-b3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-b4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-c1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-c2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.0-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.1-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.1-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.1-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.2-c1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.2-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.3-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.3-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.3-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.4-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.4-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.4-c1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.4-c2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.4-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.5-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.5-c1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.5-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.6-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.6-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.6-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.7-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.7-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.8:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.7.9:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.0-a1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.0-a2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.0-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.0-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.0-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.1-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.1-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.7:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.8:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.9:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.9.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.8.10:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.0-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.0-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.0-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.3:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.4:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.7:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.8:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.9:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.9.10:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.0-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.0-b2:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.0-c1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.0-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.2-b1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.2-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.3-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.4-final:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.5:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.6:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.10.7:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.11.0:-:*:*:*:*:*:*

OR cpe:/a:zope:zope:2.11.1:*:*:*:*:*:*:*

OR cpe:/a:zope:zope:*:*:*:*:*:*:*:* (Version <= 2.11.2)

Configuration CCN 1:

cpe:/a:zope:zope:2.7:*:*:*:*:*:*:*

Denotes that component is vulnerable