CRITICAL🇵🇱 Wersja polska

CVE-2024-23054

CVSS 9.8v3.1pub. 2024-02-05upd. 2026-07-05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm).

🤖 AI Analysis
How it works

The ++plone++static/components path references an npm package that does not exist in the public package index (npm registry). This is a classic 'dependency confusion' attack (CWE-427 — uncontrolled search path element): if a dependency is not available in a private or internal source, the package manager may fall back to a package with the same name published in the public registry. An attacker can publish a malicious package under the missing name, which will be automatically downloaded and executed in the context of the Plone installation.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the Docker container runtime environment, which may lead to complete instance takeover, data leakage, and further lateral movement in the infrastructure.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to block the ability to resolve npm dependencies from the public registry for internal packages and verify all dependencies listed in the configuration of Plone static components.

Who is affected

Plone Docker Official Image version 5.2.13 (build 5221)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Plone Docker Official Image

    APP
    Plone
    5.2.13
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEContainer
CWE
References

Related vulnerabilities

CVE-2024-23055MEDIUM6.1ten sam produkt

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution vi...

CVE-2021-33509CRITICAL9.9ten sam vendor

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to ...

CVE-2020-35190CRITICAL9.8ten sam vendor

The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password fo...

CVE-2020-7941CRITICAL9.8ten sam vendor

A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwri...

CVE-2024-22889HIGH7.5ten sam vendor

Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted o...