CVE-2000-0725

Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.debian.org/security/2000/20000821	Vendor Advisory
http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html	Patch
http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/1577	Patch Vendor Advisory
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert
http://www.redhat.com/support/errata/RHSA-2000-052.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zope:zope:2.1.1:::::::*
	cpe:2.3:a:zope:zope:2.1.7:::::::*
	cpe:2.3:a:zope:zope:2.2_beta1:::::::*
	cpe:2.3:a:zope:zope:1.10.3:::::::*

Information

Published : 2000-10-19 21:00

Updated : 2008-09-10 12:05

NVD link : CVE-2000-0725

Mitre link : CVE-2000-0725

JSON object : View

CWE

NVD-CWE-Other

Products Affected

zope

zope

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.debian.org/security/2000/20000821", "name": "20000821 zope: unauthorized escalation of privilege (update)", "tags": ["Vendor Advisory"], "refsource": "DEBIAN"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2000-08/0259.html", "name": "20000821 Conectiva Linux Security Announcement - Zope", "tags": ["Patch"], "refsource": "BUGTRAQ"}, {"url": "http://archives.neohapsis.com/archives/bugtraq/2000-08/0198.html", "name": "20000816 MDKSA-2000:035 Zope update", "tags": ["Patch", "Vendor Advisory"], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/bid/1577", "name": "1577", "tags": ["Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert", "name": "http://www.zope.org/Products/Zope/Hotfix_08_09_2000/security_alert", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.redhat.com/support/errata/RHSA-2000-052.html", "name": "RHSA-2000:052", "tags": [], "refsource": "REDHAT"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Zope before 2.2.1 does not properly restrict access to the getRoles method, which allows users who can edit DTML to add or modify roles by modifying the roles list that is included in a request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2000-0725", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": true, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2000-10-20T04:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:zope:zope:2.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zope:zope:2.1.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zope:zope:2.2_beta1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:zope:zope:1.10.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2008-09-10T19:05Z"}

7.2 /10