Miggo Logo

CVE-2002-0170: Zope does not properly verify the access for objects with proxy roles

N/A

CVSS Score

Basic Information

EPSS Score
0.72026%
Published
4/30/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
zopepip>= 2.2.0, < 2.4.42.4.4
zopepip>= 2.5.0, < 2.5.12.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper access control for objects with proxy roles. The hotfix description explicitly states the owner's context was not considered during security checks. These two functions are core to Zope's security model: of manages ownership context acquisition (critical for proxy role inheritance), and SecurityManager.validate handles permission validation. The lack of proper context propagation in these functions would directly explain the described privilege escalation. While no explicit commit diff is provided, the CWE-284 classification and Zope's security architecture strongly implicate these components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Zop* *.*.* t*rou** *.*.* *o*s not prop*rly v*ri*y t** ****ss *or o*j**ts wit* proxy rol*s, w*i** *oul* *llow som* us*rs to ****ss *o*um*nts in viol*tion o* t** int*n*** *on*i*ur*tion.

Reasoning

T** vuln*r**ility **nt*rs on improp*r ****ss *ontrol *or o*j**ts wit* proxy rol*s. T** *ot*ix **s*ription *xpli*itly st*t*s t** own*r's *ont*xt w*s not *onsi**r** *urin* s**urity ****ks. T**s* two *un*tions *r* *or* to Zop*'s s**urity mo**l: __o*__ m