4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.1%
A new Zope hotfix has been released which fixes a problem in ZClasses. The README for the 2001-05-01 hotfix describes the problem as `any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.’
This hotfix has been added in version 2.1.6-10, and we highly recommend that you upgrade your zope package immediately.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-055. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(14892);
script_version("1.19");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2001-0567");
script_xref(name:"DSA", value:"055");
script_name(english:"Debian DSA-055-1 : zope - remote unauthorized access");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"A new Zope hotfix has been released which fixes a problem in
ZClasses. The README for the 2001-05-01 hotfix describes the problem
as `any user can visit a ZClass declaration and change the ZClass
permission mappings for methods and other objects defined within the
ZClass, possibly allowing for unauthorized access within the Zope
instance.'
This hotfix has been added in version 2.1.6-10, and we highly
recommend that you upgrade your zope package immediately."
);
script_set_attribute(
attribute:"see_also",
value:"http://www.debian.org/security/2001/dsa-055"
);
script_set_attribute(attribute:"solution", value:"Upgrade the affected zope package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zope");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
script_set_attribute(attribute:"patch_publication_date", value:"2001/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/05/01");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"2.2", prefix:"zope", reference:"2.1.6-10")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | zope | p-cpe:/a:debian:debian_linux:zope |
debian | debian_linux | 2.2 | cpe:/o:debian:debian_linux:2.2 |