Lucene search

Veracode Vulnerability DatabaseVERACODE:43188

HistorySep 08, 2023 - 6:15 a.m.

Information Disclosure

2023-09-0806:15:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

accesscontrol

information disclosure

format_map

getattr

getitem

critical

software

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.2%

JSON

AccessControl is vulnerable to Information Disclosure. The vulnerability is due to the format_map function which allows attackers controlling the format string to read objects accessible via getattr and getitem which can result a critical information disclosure.

CPENameOperatorVersion
accesscontrolle5.7
accesscontrolle4.3
accesscontrolle6.1
accesscontrolle5.7
accesscontrolle4.3
accesscontrolle6.1

Name	Operator	Version
accesscontrol	le	5.7
accesscontrol	le	4.3
accesscontrol	le	6.1
accesscontrol	le	5.7
accesscontrol	le	4.3
accesscontrol	le	6.1

References

github.com/zopefoundation/AccessControl/commit/6b448f3739602d61c4eb1f4131c8f40a813fc74a

github.com/zopefoundation/AccessControl/commit/6bc32692e0d4b8d5cf64eae3d19de987c7375bc9

github.com/zopefoundation/AccessControl/security/advisories/GHSA-8xv7-89vj-q48c

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

0.0005 Low

EPSS

Percentile

18.2%

JSON

Related for VERACODE:43188