An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm).
The ++plone++static/components path references an npm package that does not exist in the public package index (npm registry). This is a classic 'dependency confusion' attack (CWE-427 — uncontrolled search path element): if a dependency is not available in a private or internal source, the package manager may fall back to a package with the same name published in the public registry. An attacker can publish a malicious package under the missing name, which will be automatically downloaded and executed in the context of the Plone installation.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) in the Docker container runtime environment, which may lead to complete instance takeover, data leakage, and further lateral movement in the infrastructure.
Apply patches available from the vendor according to the references. Additionally, it is recommended to block the ability to resolve npm dependencies from the public registry for internal packages and verify all dependencies listed in the configuration of Plone static components.
Plone Docker Official Image version 5.2.13 (build 5221)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPlone Docker Official Image
APPPlone5.2.13
Related vulnerabilities
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution vi...
Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to ...
The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password fo...
A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwri...
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted o...