cbcvebase.
CVE-2023-41050
published 2023-09-06

CVE-2023-41050: AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read"…

PriorityP343high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.52%
40.2th percentile
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

15 ranges
VendorProductVersion rangeFixed in
zopeaccesscontrol< 4.44.4
zopeaccesscontrol>= 5.0 < 5.85.8
zopeaccesscontrol>= 6.0 < 6.26.2
zopezope< 4.8.94.8.9
zopezope>= 0 < 4.8.94.8.9
zopezope>= 5.0 < 5.8.45.8.4
zopezope>= 5.0.0 < 5.8.45.8.4
zopefoundationaccesscontrol
zopefoundationaccesscontrol
zopefoundationaccesscontrol
zopefoundationaccesscontrol
zopefoundationaccesscontrol
zopefoundationaccesscontrol>= 0 < 4.44.4
zopefoundationaccesscontrol>= 5.0 < 5.85.8
zopefoundationaccesscontrol>= 6.0 < 6.26.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.