Input validation error in Zope
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU111198
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2001-0128
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code.
Zope before 2.2.4 does not properly compute local roles, which could allow users to bypass specified access restrictions and gain privileges.
MitigationInstall update from vendor's website.
Vulnerable software versionsZope: 2.2 beta1 - 2.2.4b1
CPE2.3- cpe:2.3:a:zope:zope:2.2_beta1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0a1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0b1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0b2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0b3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.0b4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.1b1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.2.2:*:*:*:*:*:*:*
https:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:06.zope.asc
https://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000365
https://www.debian.org/security/2000/20001219
https://www.linux-mandrake.com/en/updates/2000/MDKSA-2000-083.php3
https://www.osvdb.org/6284
https://www.redhat.com/support/errata/RHSA-2000-127.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/5777
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
