High severityNVD Advisory· Published Jul 3, 2023· Updated Nov 22, 2024
zopefoundation's Products.CMFCore vulnerable to unauthenticated denial of service and crash via unchecked use of input with Python's marshal module
CVE-2023-36814
Description
Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on PortalFolder objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of Products.CMFCore, such as Plone. All deployments are vulnerable. The code has been fixed in Products.CMFCore version 3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Products.CMFCorePyPI | >= 3.0, < 3.2 | 3.2 |
Products.CMFCorePyPI | < 2.7.1 | 2.7.1 |
Affected products
2- Range: < 3.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4hpj-8rhv-9x87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36814ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yamlghsaWEB
- github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5ghsax_refsource_MISCWEB
- github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576deghsaWEB
- github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.