CVE-2024-51734

Summary

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding data__roles__ = () to AccessControl.userfolder.UserFolder.

Affected Software

VendorProductVersion RangeStatus
zopefoundationAccessControlZope AccessControl: < 7.2affected
zopefoundationAccessControlZope bundle: < 5.11.1affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References