CVE-2023-41050 MEDIUM

CVE-2023-41050: Information disclosure through Python's "format" functionality in Zope AccessControl

Vendor Zopefoundation

Product AccessControl

Weakness CWE-200 · Info exposure

Published September 6, 2023

Last update September 26, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

Description

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

September 6, 2023 CVE published

September 26, 2024 Record updated

Identifiers

CVE CVE-2023-41050

CWE CWE-200

CVSS 6.8 / MEDIUM

Affected versions

Vendor Zopefoundation

Product AccessControl

Affected AccessControl: < 4.4

Vendor Zopefoundation

Product AccessControl

Affected AccessControl: >= 5.0, < 5.8

Vendor Zopefoundation

Product AccessControl

Affected AccessControl: >= 6.0, < 6.2

Vendor Zopefoundation

Product AccessControl

Affected Zope: < 4.8.9

Vendor Zopefoundation

Product AccessControl

Affected Zope: >= 5.0.0, < 5.8.4