High severityNVD Advisory· Published Sep 30, 2014· Updated May 6, 2026
CVE-2012-5507
CVE-2012-5507
Description
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Zope2PyPI | < 2.13.19 | 2.13.19 |
PlonePyPI | >= 3.2.2, < 4.2.3 | 4.2.3 |
PlonePyPI | >= 4.3a1, < 4.3b1 | 4.3b1 |
Affected products
99cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.13.18:*:*:*:*:*:*:*
cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*+ 71 more
- cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*range: <=4.2.2
- cpe:2.3:a:plone:plone:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:a1:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:a2:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:b1:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:b2:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- plone.org/products/plone-hotfix/releases/20121106nvdPatchWEB
- github.com/advisories/GHSA-3qpr-7rmg-73v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5507ghsaADVISORY
- plone.org/products/plone/security/advisories/20121106/23nvdVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2012/11/10/1nvdWEB
- bugs.launchpad.net/zope2/+bug/1071067nvdWEB
- github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txtnvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-49.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-75.yamlghsaWEB
News mentions
0No linked articles in our index yet.