CVE-2024-51734

Nov. 5, 2024, 8:35 p.m.

0.0
No Score

Description

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

Product(s) Impacted

Product Versions
Zope AccessControl
  • ['7.2']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/zopefoundation/AccessControl/issues/159
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v

Tags

CWE-284
security-advisories@github.com
2024-11-04
CVE-2024-51734

Timeline

Published: Nov. 4, 2024, 11:15 p.m.
Last Modified: Nov. 5, 2024, 8:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.