CVE-2024-51734

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

CVSS

No CVSS.

References

Link	Resource
https://github.com/zopefoundation/AccessControl/issues/159
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v

Configurations

No configuration.

History

05 Nov 2024, 20:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 0.0

05 Nov 2024, 16:04

Type	Values Removed	Values Added
Summary		(es) Zope AccessControl proporciona un marco de seguridad general para su uso en Zope. En las versiones afectadas, los usuarios anónimos pueden eliminar los datos de usuario que se mantienen en un `AccessControl.userfolder.UserFolder`, lo que puede impedir cualquier acceso privilegiado. Este problema se ha solucionado en la versión 7.2. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión pueden solucionar el problema añadiendo `data__roles__ = ()` a `AccessControl.userfolder.UserFolder`.

04 Nov 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-04 23:15

Updated : 2024-11-05 20:35

NVD link : CVE-2024-51734

Mitre link : CVE-2024-51734

CVE.ORG link : CVE-2024-51734

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2024-51734", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-04T23:15:05.213", "references": [{"url": "https://github.com/zopefoundation/AccessControl/issues/159", "source": "security-advisories@github.com"}, {"url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`."}, {"lang": "es", "value": "Zope AccessControl proporciona un marco de seguridad general para su uso en Zope. En las versiones afectadas, los usuarios an\u00f3nimos pueden eliminar los datos de usuario que se mantienen en un `AccessControl.userfolder.UserFolder`, lo que puede impedir cualquier acceso privilegiado. Este problema se ha solucionado en la versi\u00f3n 7.2. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden solucionar el problema a\u00f1adiendo `data__roles__ = ()` a `AccessControl.userfolder.UserFolder`."}], "lastModified": "2024-11-05T20:35:26.167", "sourceIdentifier": "security-advisories@github.com"}