GHSA-g5vw-3h65-2q3v

Опубликовано: 04 нояб. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.6

CVSS3: 9.1

Описание

Access control vulnerable to user data deletion by anonynmous users

Impact

Anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access.

Patches

The problem is fixed in version 7.2.

Workarounds

The problem can be fixed by adding data__roles__ = () to AccessControl.userfolder.UserFolder.

References

https://github.com/zopefoundation/AccessControl/issues/159

Ссылки

Пакеты

Наименование

AccessControl

pip

Затронутые версииВерсия исправления

< 7.2

7.2

Наименование

Zope

pip

Затронутые версииВерсия исправления

< 5.11.1

5.11.1

EPSS

Процентиль: 33%

0.00129

Низкий

6.6 Medium

CVSS4

9.1 Critical

CVSS3

CVE ID

CVE-2024-51734

Дефекты

CWE-269

CWE-284

Связанные уязвимости

CVE-2024-51734

nvd

больше 1 года назад

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

EPSS

Процентиль: 33%

0.00129

Низкий

6.6 Medium

CVSS4

9.1 Critical

CVSS3

CVE ID

CVE-2024-51734

Дефекты

CWE-269

CWE-284