CVE-2023-41050 : AccessControl provides a general security framework for use in Zope. Python's "f

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published 2023-09-06 18:15:09

Updated 2023-09-13 02:47:09

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2023-41050

Zope » Zope
Versions from including (>=) 5.0 and before (<) 5.8.4
cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*
Matching versions
Zope » Zope
Versions before (<) 4.8.9
cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*
Matching versions
Zope » Accesscontrol
Versions from including (>=) 5.0 and before (<) 5.8
cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*
Matching versions
Zope » Accesscontrol
Versions before (<) 4.4
cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*
Matching versions
Zope » Accesscontrol
Versions from including (>=) 6.0 and before (<) 6.2
cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-41050

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-41050

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	3.1	4.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None
6.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N	2.3	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-41050

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-41050

https://github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9

Merge pull request from GHSA-8xv7-89vj-q48c · zopefoundation/AccessControl@6bc3269 · GitHub
Patch
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c

Information disclosure through Python's "format" functionality · Advisory · zopefoundation/AccessControl · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-41050

Products affected by CVE-2023-41050

Exploit prediction scoring system (EPSS) score for CVE-2023-41050

CVSS scores for CVE-2023-41050

CWE ids for CVE-2023-41050

References for CVE-2023-41050