CVE-2002-0170: Zope does not properly verify the access for objects with proxy roles
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72026%
CWE
Published
4/30/2022
Updated
2/12/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
zope | pip | >= 2.2.0, < 2.4.4 | 2.4.4 |
zope | pip | >= 2.5.0, < 2.5.1 | 2.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on improper access control for objects with proxy roles. The hotfix description explicitly states the owner's context was not considered during security checks. These two functions are core to Zope's security model: of manages ownership context acquisition (critical for proxy role inheritance), and SecurityManager.validate handles permission validation. The lack of proper context propagation in these functions would directly explain the described privilege escalation. While no explicit commit diff is provided, the CWE-284 classification and Zope's security architecture strongly implicate these components.