CVE-2006-3458: Zope allows local users to read arbitrary files
2.1
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29162%
CWE
-
Published
5/1/2022
Updated
11/21/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
AV:L/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Zope2 | pip | >= 2.7.0, < 2.7.8 | 2.7.8 |
Zope2 | pip | >= 2.8.0, < 2.8.7 | 2.8.7 |
Zope2 | pip | >= 2.9.0, < 2.9.3 | 2.9.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Zope's integration of docutils' reStructuredText parser without disabling the 'raw' directive. The 'restructuredtext' transform function
in Products/PortalTransforms would have invoked docutils' parsing functionality. The security fix explicitly mentions disabling the 'raw' command, indicating this was the entry point where unsafe configuration occurred. The file path is inferred from Zope's standard transform architecture and docutils integration patterns.