Zope AccessControl 3.0.14

CPE Details

Zope AccessControl 3.0.14
3.0.14
2021-08-06
12h03 +00:00
2021-08-11
12h52 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:zope:accesscontrol:3.0.14:*:*:*:*:*:*:*

Informations

Vendor

zope

Product

accesscontrol

Version

3.0.14

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-41050 2023-09-06 17h58 +00:00 AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
7.7
High