LOW

GHSA-jcjp-qqpq-pc54

Zope allows local users to read arbitrary files

Details

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope2

Introduced in: 2.7.0 Fixed in: 2.7.8

Fix pip install --upgrade 'zope2>=2.7.8'

PyPI / zope2

Introduced in: 2.8.0 Fixed in: 2.8.7

Fix pip install --upgrade 'zope2>=2.8.7'

PyPI / zope2

Introduced in: 2.9.0 Fixed in: 2.9.3

Fix pip install --upgrade 'zope2>=2.9.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2006-3458 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/27636 [WEB]
https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2006-7.yaml [WEB]
https://github.com/zopefoundation/Zope [PACKAGE]
https://usn.ubuntu.com/317-1 [WEB]
http://mail.zope.org/pipermail/zope-announce/2006-July/001984.html [WEB]
http://www.debian.org/security/2006/dsa-1113 [WEB]
http://www.novell.com/linux/security/advisories/2006_19_sr.html [WEB]