CVE-2006-3458: Zope allows local users to read arbitrary files

May 1, 2022 (updated November 21, 2024)

Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the “raw” command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.

References

exchange.xforce.ibmcloud.com/vulnerabilities/27636
github.com/advisories/GHSA-jcjp-qqpq-pc54
github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2006-7.yaml
github.com/zopefoundation/Zope
nvd.nist.gov/vuln/detail/CVE-2006-3458
usn.ubuntu.com/317-1

Code Behaviors & Features

Detect and mitigate CVE-2006-3458 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →