CVE-2023-36814
Description
Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of `Products.CMFCore`, such as Plone. All deployments are vulnerable. The code has been fixed in `Products.CMFCore` version 3.2.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | products-cmfcore | >=3.0,<3.2 | 3.2 |
| PyPI | products-cmfcore | <2.7.1 | 2.7.1 |
| PyPI | products-cmfcore | <40f03f43a60f28ca9485c8ef429efef729be54e5||<3.2 | 40f03f43a60f28ca9485c8ef429efef729be54e5 |
References
- https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87
- https://nvd.nist.gov/vuln/detail/CVE-2023-36814
- https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
- https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
- https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
- https://github.com/zopefoundation/Products.CMFCore
Verify integrity in audit chain (admin only). AS-IS.