Miggo Logo
Miggo Vulnerability Database
CVE-2010-3198

CVE-2010-3198: Zope Denial of Service (DoS) vulnerability in ZServer

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2010-3198
GHSA ID
GHSA-qh4q-fwf8-qqrw
EPSS Score
0.74226%
CWE
CWE-400
Published
5/17/2022
Updated
11/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Zopepip>= 2.10.0, < 2.10.122.10.12
Zopepip>= 2.11.0, < 2.11.72.11.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from uncaught exceptions in ZServer's worker thread handling. The pre-patch code in ZServerPublisher.py's init method contained no general exception handling around the request processing loop. The fix in commit 0f2f56f adds a try/except block at this level to log exceptions instead of letting them propagate and crash the thread. This matches the CWE-400 (resource consumption) pattern and the advisory's description of thread crashes via unhandled exceptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

ZS*rv*r in Zop* *.**.x ***or* *.**.** *n* *.**.x ***or* *.**.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*r*s* o* work*r t*r***s) vi* v**tors t**t tri***r un**u**t *x**ptions.

Reasoning

T** vuln*r**ility st*ms *rom un**u**t *x**ptions in ZS*rv*r's work*r t*r*** **n*lin*. T** pr*-p*t** *o** in ZS*rv*rPu*lis**r.py's __init__ m*t*o* *ont*in** no **n*r*l *x**ption **n*lin* *roun* t** r*qu*st pro**ssin* loop. T** *ix in *ommit ******* **