Zope Information Disclosure Vulnerability (GHSA-8xv7-89vj-q48c)

2023-10-0600:00:00

plugins.openvas.org

zope

information disclosure

vulnerability

python

format

ghsa-8xv7-89vj-q48c

cve-2023-41050

web servers

version 4.8.8

version 5.x

accesscontrol

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.2%

JSON

Zope is prone to an information disclosure vulnerability
through Python

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:zope:zope";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.151104");
  script_version("2023-10-13T16:09:03+0000");
  script_tag(name:"last_modification", value:"2023-10-13 16:09:03 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-10-06 02:45:01 +0000 (Fri, 06 Oct 2023)");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:N/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-09-13 02:47:00 +0000 (Wed, 13 Sep 2023)");

  script_cve_id("CVE-2023-41050");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Zope Information Disclosure Vulnerability (GHSA-8xv7-89vj-q48c)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web Servers");
  script_dependencies("gb_zope_http_detect.nasl");
  script_mandatory_keys("zope/detected");

  script_tag(name:"summary", value:"Zope is prone to an information disclosure vulnerability
  through Python's 'format' functionality.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Python's 'format' functionality allows someone controlling the
  format string to 'read' objects accessible (recursively) via attribute access and subscription
  from accessible objects. Those attribute accesses and subscriptions use Python's full blown
  getattr and getitem, not the policy restricted AccessControl variants _getattr_ and _getitem_.
  This can lead to critical information disclosure.");

  script_tag(name:"affected", value:"Zope version 4.8.8 and prior and version 5.x through 5.8.3.");

  script_tag(name:"solution", value:"Update to version 4.8.9, 5.8.4 or later.");

  script_xref(name:"URL", value:"https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "4.8.9")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.8.9", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "5.0", test_version_up: "5.8.4")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "5.8.4", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);