CVE-2023-36814

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-36814

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-36814.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-36814

Aliases

Published

2023-07-03T16:48:36Z

Modified

2025-10-30T20:21:57.423453Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

zopefoundation's Products.CMFCore vulnerable to unauthenticated denial of service and crash via unchecked use of input with Python's marshal module

Details

Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on PortalFolder objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of Products.CMFCore, such as Plone. All deployments are vulnerable. The code has been fixed in Products.CMFCore version 3.2.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/zopefoundation/products.cmfcore

Affected ranges

Type: GIT
Repo: https://github.com/zopefoundation/products.cmfcore
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4ac51b398fe542f6f979ed87f7dbd73784746bf1

Affected versions

2.*

2.4.0

2.4.0b1

2.4.0b3

2.4.0b4

2.4.0b5

2.4.0b6

2.4.0b7

2.4.0b8

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.6.0

2.7.0

3.*

3.0

3.1