Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-41050

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published

2023-09-06T18:15:08.847

Last Modified

2024-11-21T08:20:27.607

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.8 (MEDIUM)

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zope	accesscontrol	< 4.4	Yes
Application	zope	accesscontrol	< 5.8	Yes
Application	zope	accesscontrol	< 6.2	Yes
Application	zope	zope	< 4.8.9	Yes
Application	zope	zope	< 5.8.4	Yes

References

https://github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9 Patch ([email protected])
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c Vendor Advisory ([email protected])
https://github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)