CVE-2024-51734
User data deletion by anoynmous users in Zope
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.
Zope AccessControl proporciona un marco de seguridad general para su uso en Zope. En las versiones afectadas, los usuarios anónimos pueden eliminar los datos de usuario que se mantienen en un `AccessControl.userfolder.UserFolder`, lo que puede impedir cualquier acceso privilegiado. Este problema se ha solucionado en la versión 7.2. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión pueden solucionar el problema añadiendo `data__roles__ = ()` a `AccessControl.userfolder.UserFolder`.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-10-31 CVE Reserved
- 2024-11-04 CVE Published
- 2024-11-05 EPSS Updated
- 2024-11-21 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/zopefoundation/AccessControl/issues/159 | X_refsource_misc | |
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Zopefoundation Search vendor "Zopefoundation" | AccessControl Search vendor "Zopefoundation" for product "AccessControl" | < 7.2 Search vendor "Zopefoundation" for product "AccessControl" and version " < 7.2" | en |
Affected
| ||||||
Zopefoundation Search vendor "Zopefoundation" | AccessControl Search vendor "Zopefoundation" for product "AccessControl" | < 5.11.1 Search vendor "Zopefoundation" for product "AccessControl" and version " < 5.11.1" | en |
Affected
|