CVE-2024-51734

HIGH

Zope AccessControl <7.2 - Info Disclosure

Title source: llm
STIX 2.1

Description

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

References (2)

Core 2

Scores

CVSS v4 8.7
EPSS 0.0041
EPSS Percentile 33.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (4)
pypi/AccessControl 0 - 7.2PyPI
pypi/Zope 0 - 5.11.1PyPI
zopefoundation/AccessControl Zope AccessControl: < 7.2
zopefoundation/AccessControl Zope bundle: < 5.11.1
Published Nov 04, 2024
Tracked Since Feb 18, 2026