CVE-2023-41050
published 2023-09-06CVE-2023-41050: AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read"…
PriorityP343high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.52%
40.2th percentile
AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zope | accesscontrol | < 4.4 | 4.4 |
| zope | accesscontrol | >= 5.0 < 5.8 | 5.8 |
| zope | accesscontrol | >= 6.0 < 6.2 | 6.2 |
| zope | zope | < 4.8.9 | 4.8.9 |
| zope | zope | >= 0 < 4.8.9 | 4.8.9 |
| zope | zope | >= 5.0 < 5.8.4 | 5.8.4 |
| zope | zope | >= 5.0.0 < 5.8.4 | 5.8.4 |
| zopefoundation | accesscontrol | — | — |
| zopefoundation | accesscontrol | — | — |
| zopefoundation | accesscontrol | — | — |
| zopefoundation | accesscontrol | — | — |
| zopefoundation | accesscontrol | — | — |
| zopefoundation | accesscontrol | >= 0 < 4.4 | 4.4 |
| zopefoundation | accesscontrol | >= 5.0 < 5.8 | 5.8 |
| zopefoundation | accesscontrol | >= 6.0 < 6.2 | 6.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Information disclosure in AccessControl
osv·2023-09-07
CVE-2023-41050 [MEDIUM] Information disclosure in AccessControl
Information disclosure in AccessControl
### Impact
Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure.
`AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe.
Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it.
### Patches
A fix will be introduced in the versions 4.4, 5.8 and 6.2.
### W
GHSA
Information disclosure in AccessControl
ghsa·2023-09-07
CVE-2023-41050 [MEDIUM] CWE-200 Information disclosure in AccessControl
Information disclosure in AccessControl
### Impact
Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure.
`AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe.
Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it.
### Patches
A fix will be introduced in the versions 4.4, 5.8 and 6.2.
### W
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48chttps://github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c
2023-09-06
Published