High severityNVD Advisory· Published Sep 8, 2010· Updated Apr 29, 2026
CVE-2010-3198
CVE-2010-3198
Description
ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ZopePyPI | >= 2.10.0, < 2.10.12 | 2.10.12 |
ZopePyPI | >= 2.11.0, < 2.11.7 | 2.11.7 |
Affected products
27cpe:2.3:a:zope:zope:2.10.0-b1:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:zope:zope:2.10.0-b1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.0-b2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.0-c1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.0-final:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.10:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.11:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.2-b1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.2-final:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.3-final:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.4-final:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.10.9:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.0a1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.0b1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.0c1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.5:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:2.11.6:*:*:*:*:*:*:*
Patches
2e03a5f036d42Prevent uncaught exceptions from killing ZServer worker threads.
2 files changed · +30 −19
doc/CHANGES.txt+3 −0 modified@@ -8,6 +8,9 @@ Zope Changes Bugs Fixed + - Prevent uncaught exceptions from killing ZServer worker threads. + https://bugs.launchpad.net/zope2/+bug/627988 + - Ensure that mailhosts which share a queue directory do not double- deliver mails, by sharing the thread which processes emails for that directory. https://bugs.launchpad.net/zope2/+bug/574286
lib/python/ZServer/PubCore/ZServerPublisher.py+27 −19 modified@@ -11,28 +11,36 @@ # ############################################################################## +import logging + +LOG = logging.getLogger('ZServerPublisher') + class ZServerPublisher: def __init__(self, accept): + from sys import exc_info from ZPublisher import publish_module from ZPublisher.WSGIPublisher import publish_module as publish_wsgi while 1: - name, a, b=accept() - if name == "Zope2": - try: - publish_module( - name, - request=a, - response=b) - finally: - b._finish() - a=b=None + try: + name, a, b=accept() + if name == "Zope2": + try: + publish_module( + name, + request=a, + response=b) + finally: + b._finish() + a=b=None - elif name == "Zope2WSGI": - try: - res = publish_wsgi(a, b) - for r in res: - a['wsgi.output'].write(r) - finally: - # TODO: Support keeping connections open. - a['wsgi.output']._close = 1 - a['wsgi.output'].close() + elif name == "Zope2WSGI": + try: + res = publish_wsgi(a, b) + for r in res: + a['wsgi.output'].write(r) + finally: + # TODO: Support keeping connections open. + a['wsgi.output']._close = 1 + a['wsgi.output'].close() + except: + LOG.error('exception caught', exc_info=True)
0f2f56f63e4aPrevent uncaught exceptions from killing ZServer worker threads.
2 files changed · +30 −19
doc/CHANGES.txt+3 −0 modified@@ -8,6 +8,9 @@ Zope Changes Bugs fixed + - Prevent uncaught exceptions from killing ZServer worker threads. + https://bugs.launchpad.net/zope2/+bug/627988 + - Updated 'pytz' external to point to '2010b' version (not via Zope3). - Protect ZCTextIndex's clear method against storing Acquisition wrappers.
lib/python/ZServer/PubCore/ZServerPublisher.py+27 −19 modified@@ -11,28 +11,36 @@ # ############################################################################## +import logging + +LOG = logging.getLogger('ZServerPublisher') + class ZServerPublisher: def __init__(self, accept): + from sys import exc_info from ZPublisher import publish_module from ZPublisher.WSGIPublisher import publish_module as publish_wsgi while 1: - name, a, b=accept() - if name == "Zope2": - try: - publish_module( - name, - request=a, - response=b) - finally: - b._finish() - a=b=None + try: + name, a, b=accept() + if name == "Zope2": + try: + publish_module( + name, + request=a, + response=b) + finally: + b._finish() + a=b=None - elif name == "Zope2WSGI": - try: - res = publish_wsgi(a, b) - for r in res: - a['wsgi.output'].write(r) - finally: - # TODO: Support keeping connections open. - a['wsgi.output']._close = 1 - a['wsgi.output'].close() + elif name == "Zope2WSGI": + try: + res = publish_wsgi(a, b) + for r in res: + a['wsgi.output'].write(r) + finally: + # TODO: Support keeping connections open. + a['wsgi.output']._close = 1 + a['wsgi.output'].close() + except: + LOG.error('exception caught', exc_info=True)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- mail.zope.org/pipermail/zope-announce/2010-September/002247.htmlnvdPatchVendor AdvisoryWEB
- bugs.launchpad.net/zope2/+bug/627988nvdExploitPatchVendor AdvisoryWEB
- www.vupen.com/english/advisories/2010/2275nvdVendor Advisory
- github.com/advisories/GHSA-qh4q-fwf8-qqrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-3198ghsaADVISORY
- www.zope.org/Products/Zope/2.10.12/CHANGES.txtnvdWEB
- www.zope.org/Products/Zope/2.11.7/CHANGES.txtnvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2010-32.yamlghsaWEB
- github.com/zopefoundation/Zope/commit/0f2f56f63e4a4d695ee670e02b317e900550dbacghsaWEB
- github.com/zopefoundation/Zope/commit/e03a5f036d42ed2426886c9035fe018eeec65de4ghsaWEB
- web.archive.org/web/20200229173503/http://www.securityfocus.com/bid/42939ghsaWEB
- www.securityfocus.com/bid/42939nvd
News mentions
0No linked articles in our index yet.