CVE-2024-22889 – CVE-2024-22889 is an access control vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-22889?

CVE-2024-22889 has a CVSS score of 7.5 (HIGH). CVE-2024-22889 is an access control vulnerability in Plone v6.0.9 that allows remote attackers to view and list all files hosted on the website via crafted requests. This affects all Plone v6.0.9 installations with default configurations, potentially exposing sensitive files to unauthorized users.

📋 TL;DR

CVE-2024-22889 is an access control vulnerability in Plone v6.0.9 that allows remote attackers to view and list all files hosted on the website via crafted requests. This affects all Plone v6.0.9 installations with default configurations, potentially exposing sensitive files to unauthorized users.

💻 Affected Systems

Products:

Plone

Versions: v6.0.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Plone v6.0.9 specifically; other versions may not be vulnerable.

📦 What is this software?

Plone by Plone

View all CVEs affecting Plone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all website files including sensitive configuration files, user data, and private content, leading to data breaches and potential credential theft.

🟠

Likely Case

Unauthorized access to file listings and content, enabling reconnaissance and data exfiltration of publicly accessible files.

🟢

If Mitigated

Limited exposure of non-sensitive files if proper access controls and file permissions are already configured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub; exploitation requires only crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.0.10 or later

Vendor Advisory: https://plone.org/security/advisories

Restart Required: Yes

Instructions:

1. Backup your Plone instance. 2. Update Plone to v6.0.10 or later using pip: 'pip install --upgrade Plone'. 3. Restart the Plone service. 4. Verify the update with 'bin/instance debug' and check version.

🔧 Temporary Workarounds

Access Control Configuration

all

Implement strict access control rules to restrict file listing and viewing permissions.

Configure via Plone control panel: Security -> Sharing -> Set appropriate permissions

Web Application Firewall Rules

all

Block requests attempting to list or access files via suspicious patterns.

Add WAF rule: Block requests containing '/@@file-listing' or similar patterns

🧯 If You Can't Patch

Implement network segmentation to isolate Plone instances from untrusted networks.
Deploy a reverse proxy with strict URL filtering to block file listing endpoints.

🔍 How to Verify

Check if Vulnerable:

Test by sending a crafted request to the file listing endpoint (e.g., GET /@@file-listing) and check if unauthorized file listings are returned.

Check Version:

bin/instance debug then check Plone version in output

Verify Fix Applied:

After patching, attempt the same crafted request; it should return an access denied error or no file listings.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to file listing endpoints from unauthorized IPs
Unusual GET requests to '/@@file-listing' or similar paths

Network Indicators:

Spike in requests to file listing endpoints
Outbound data transfers of file contents

SIEM Query:

source="plone.log" AND (uri_path="/@@file-listing" OR uri_path="/@@view") AND http_status=200

📊 Metadata

CVE ID: CVE-2024-22889

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

Published: March 6, 2024

Last Updated: January 21, 2025

🔗 References

https://github.com/shenhav12/CVE-2024-22889-Plone-v6.0.9 Third Party Advisory
https://github.com/shenhav12/CVE-2024-22889-Plone-v6.0.9 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22889, you might also want to check these: