HIGH

GHSA-7944-h5rw-qmjx

ZCatalog plug-in for Zope allows anonymous users to bypass access restrictions

Details

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope

Introduced in: 2.4.0 Fixed in: 2.6.0

Fix pip install --upgrade 'zope>=2.6.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2002-0688 [ADVISORY]
https://web.archive.org/web/20020810160608/http://www.zope.org/Products/Zope/Hotfix_2002-06-14/security_alert [WEB]
https://web.archive.org/web/20020822025750/http://www.iss.net/security_center/static/9610.php [WEB]
https://web.archive.org/web/20021206023914/http://rhn.redhat.com/errata/RHSA-2002-060.html [WEB]
https://web.archive.org/web/20021223212650/http://online.securityfocus.com/bid/5812 [WEB]
https://web.archive.org/web/20070430090648/http://www.debian.org/security/2004/dsa-490 [WEB]