Description
Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v
Issue Tracking x_refsource_misc
https://github.com/zopefoundation/AccessControl/issues/159
Scores
CVSS v4
8.7
EPSS
0.0018
EPSS Percentile
38.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (4)
pypi/AccessControl
0 - 7.2PyPI
pypi/Zope
0 - 5.11.1PyPI
zopefoundation/AccessControl
Zope AccessControl: < 7.2
zopefoundation/AccessControl
Zope bundle: < 5.11.1
Published
Nov 04, 2024
Tracked Since
Feb 18, 2026