MEDIUM

GHSA-hm8g-jxjj-gfm3

Zope allows remote attackers to read arbitrary files

Details

The docutils module in Zope (Zope2) 2.7.0 through 2.7.9 and 2.8.0 through 2.8.8 does not properly handle web pages with reStructuredText (reST) markup, which allows remote attackers to read arbitrary files via a csv_table directive, a different vulnerability than CVE-2006-3458.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / zope2

Introduced in: 2.7.0

No fixed version published yet for zope2 (pip). Pin to a known-safe version or switch to an alternative.

PyPI / zope2

Introduced in: 2.8.0 Fixed in: 2.8.9

Fix pip install --upgrade 'zope2>=2.8.9'

References

https://nvd.nist.gov/vuln/detail/CVE-2006-4684 [ADVISORY]
https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2006-8.yaml [WEB]
https://github.com/zopefoundation/Zope [PACKAGE]
http://mail.zope.org/pipermail/zope-announce/2006-August/002005.html [WEB]
http://www.debian.org/security/2006/dsa-1176 [WEB]
http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt [WEB]