HIGH

GHSA-c3rp-4cjh-cp38

Zope does not properly verify the access for objects with proxy roles

Details

Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope

Introduced in: 2.2.0 Fixed in: 2.4.4

Fix pip install --upgrade 'zope>=2.4.4'

PyPI / zope

Introduced in: 2.5.0 Fixed in: 2.5.1

Fix pip install --upgrade 'zope>=2.5.1'

References

https://nvd.nist.gov/vuln/detail/CVE-2002-0170 [ADVISORY]
https://github.com/zopefoundation/Zope [PACKAGE]
https://launchpad.net/zope2/+milestone/2.4.4 [WEB]
https://launchpad.net/zope2/+milestone/2.5.1 [WEB]
https://web.archive.org/web/20021120034302/http://online.securityfocus.com/bid/4229 [WEB]
https://web.archive.org/web/20070914020022/http://xforce.iss.net/xforce/xfdb/8334 [WEB]
http://marc.info/?l=bugtraq&m=101503023511996&w=2 [WEB]
http://www.redhat.com/support/errata/RHSA-2002-060.html [WEB]