Safety vulnerability ID: 60983
The information on this page was manually curated by our Cybersecurity Intelligence Team.
AccessControl 4.4, 5.8 and 6.2 include a fix for CVE-2023-41050: Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown 'getattr' and 'getitem', not the policy restricted 'AccessControl' variants '_getattr_' and '_getitem_'. This can lead to critical information disclosure. 'AccessControl' already provides a safe variant for 'str.format' and denies access to 'string.Formatter'. However, 'str.format_map' is still unsafe. Affected are all users who allow untrusted users to create 'AccessControl' controlled Python code and execute it.
Latest version: 7.2
Security framework for Zope.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application