zopefoundation's Products.CMFCore vulnerable to unauthenticated denial of service and crash via unchecked use of input with Python's marshal module
CVE-2023-36814

7.5HIGH

Key Information:

Vendor
CVE Published:
3 July 2023

What is CVE-2023-36814?

A denial of service vulnerability exists in the Zope Content Management Framework (CMF) due to the improper handling of unchecked input in the Python marshal module within the PortalFolder objects. This security weakness allows unauthenticated users to exploit the public method, potentially causing application crashes across all portal software utilizing the vulnerable Products.CMFCore. This affects all deployments relying on version 3.2 and earlier of the framework. The issue has been resolved in the recent update of Products.CMFCore.

Affected Version(s)

Products.CMFCore < 3.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.