CVE-2000-0725

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html	Patch Vendor Advisory
http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html	Patch
http://www.debian.org/security/2000/20000821	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2000-052.html
http://www.securityfocus.com/bid/1577	Patch Vendor Advisory
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zope:zope:1.10.3:::::::*
	cpe:2.3:a:zope:zope:2.1.1:::::::*
	cpe:2.3:a:zope:zope:2.1.7:::::::*
	cpe:2.3:a:zope:zope:2.2_beta1:::::::*

History

No history.

Information

Published : 2000-10-20 04:00

Updated : 2024-02-04 16:31

NVD link : CVE-2000-0725

Mitre link : CVE-2000-0725

CVE.ORG link : CVE-2000-0725

JSON object : View

Products Affected

zope

zope

CWE

NVD-CWE-Other

{"id": "CVE-2000-0725", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": true, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2000-10-20T04:00:00.000", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2000/20000821", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.redhat.com/support/errata/RHSA-2000-052.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/1577", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request."}], "lastModified": "2008-09-10T19:05:42.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zope:zope:1.10.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46B2B101-676C-4EF3-90FB-7B5D36D1ADF0"}, {"criteria": "cpe:2.3:a:zope:zope:2.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C49596F-E215-4B70-8397-3C247F509D43"}, {"criteria": "cpe:2.3:a:zope:zope:2.1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23673C10-0D61-4835-A37C-9AAA00F1DA30"}, {"criteria": "cpe:2.3:a:zope:zope:2.2_beta1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33CAC1ED-C055-4526-AE2A-E758C8960466"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}