GHSA-p75f-g7gx-2r7p
GitHub Security Advisory
Exposure of Sensitive Information to an Unauthorized Actor in Products.PluggableAuthService ZODBRoleManager
Advisory Details
### Impact
_What kind of vulnerability is it? Who is impacted?_
Information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install "Products.PluggableAuthService>=2.6.0"`
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
There is no workaround. Users are encouraged to upgrade.
### References
_Are there any links users can visit to find out more?_
- [GHSA-p75f-g7gx-2r7p](https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p75f-g7gx-2r7p)
- [Products.PluggableAuthService on PyPI](https://github.com/zopefoundation/Products.PluggableAuthService)
### For more information
If you have any questions or comments about this advisory:
* Open an issue in the [Products.PluggableAuthService issue tracker](https://github.com/zopefoundation/Products.PluggableAuthService/issues)
* Email us at [[email protected]](mailto:[email protected])
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.