CVE-2023-41050

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-41050

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41050.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-41050

Aliases

GHSA-8xv7-89vj-q48c

Published

2023-09-06T17:58:10.510Z

Modified

2026-03-13T07:43:12.795626Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Information disclosure through Python's "format" functionality in Zope AccessControl

Details

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown getattr and getitem, not the policy restricted AccessControl variants _getattr_ and _getitem_. This can lead to critical information disclosure. AccessControl already provides a safe variant for str.format and denies access to string.Formatter. However, str.format_map is still unsafe. Affected are all users who allow untrusted users to create AccessControl controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41050.json"
}

References

Affected packages

Git / github.com/zopefoundation/accesscontrol

Affected ranges

Type: GIT
Repo: https://github.com/zopefoundation/accesscontrol
Events: Introduced

db9f93f5b97de562e7741ea95cd38299b05fc7bc

Fixed

6bc32692e0d4b8d5cf64eae3d19de987c7375bc9

Affected versions

6.*

6.0

6.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41050.json"

Git / github.com/zopefoundation/zope

Affected ranges

Type

GIT

Repo

https://github.com/zopefoundation/zope

Events

Introduced

63f7ed59b82e973b6a44cb755837df7f787ff72b

Fixed

65a5c6012cf150d55c82c32de52625dd504eecbd

Introduced

Fixed

86e0f40b48a7cfa16bce41d0a477b8b67c585ce2

Introduced

63f7ed59b82e973b6a44cb755837df7f787ff72b

Fixed

4e63a8c3bed8c195cf9e3d5472129836f1cab96b

Database specific

{
    "versions": [
        {
            "introduced": "5.0"
        },
        {
            "fixed": "5.8"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "4.8.9"
        },
        {
            "introduced": "5.0"
        },
        {
            "fixed": "5.8.4"
        }
    ]
}

Affected versions

5.*

5.0

5.1

5.1.1

5.1.2

5.2

5.2.1

5.3

5.4

5.5

5.5.1

5.5.2

5.6

5.7

5.7.1

5.7.2

5.7.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41050.json"