QID 982403
QID 982403: Python (pip) Security Update for Products.GenericSetup (GHSA-jff3-mwp3-f8cw)
Security update has been released for Products.GenericSetup to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
_What kind of vulnerability is it? Who is impacted?_
Information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool.
Solution
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Visit the ZMI Security tab at `portal_setup/manage_access` and click on the link _Access contents information_. On the next page, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_. Return to the ZMI Security tab at `portal_setup/manage_access` and scroll down to the link _View_. Click on _View_, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_.
The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `"Products.GenericSetup>=2.1.1"`Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Visit the ZMI Security tab at `portal_setup/manage_access` and click on the link _Access contents information_. On the next page, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_. Return to the ZMI Security tab at `portal_setup/manage_access` and scroll down to the link _View_. Click on _View_, uncheck the box _Also use roles acquired from folders containing this objects_ at the bottom and check the boxes for _Manager_ and _Owner_. Then click on _Save Changes_.
Vendor References
- GHSA-jff3-mwp3-f8cw -
github.com/advisories/GHSA-jff3-mwp3-f8cw
CVEs related to QID 982403
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-jff3-mwp3-f8cw | Products.GenericSetup |
github.com/advisories/GHSA-jff3-mwp3-f8cw |