Detections
Analytics

Zope < 2.3.3 ZClass Permission Mapping Modification Local Privilege Escalation

medium Nessus Plugin ID 10777

Synopsis

The remote web server contains an application server that is prone to a privilege escalation flaw.

Description

The remote web server uses a version of Zope which is older than version 2.3.3. In such versions, any user can visit a ZClass declaration and change the ZClass permission mappings for methods and other objects defined within the ZClass, possibly allowing for unauthorized access within the Zope instance.

*** Nessus solely relied on the version number of the server, so if
*** the hotfix has already been applied, this might be a false positive

Solution

Upgrade to Zope 2.3.3 or apply the hotfix referenced in the vendor advisory above.

See Also

http://www.zope.org/Products/Zope/Hotfix_2001-05-01/security_alert

Plugin Details

Severity: Medium

ID: 10777

File Name: zope_zclass.nasl

Version: 1.25

Type: remote

Family: Web Servers

Published: 9/28/2001

Updated: 6/12/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Required KB Items: www/zope

Vulnerability Publication Date: 5/1/2001

Reference Information

CVE: CVE-2001-0567