Vulnerability Name:

CVE-2009-2701 (CCN-53052)

Assigned:2009-09-04
Published:2009-09-04
Updated:2009-09-09
Summary:Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB) 3.8 before 3.8.3 and 3.9.x before 3.9.0c2, when certain ZEO database sharing and blob support are enabled, allows remote authenticated users to read or delete arbitrary files via unknown vectors.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2009-2701

Source: CCN
Type: Python Web site
Python Package Index : ZODB3 3.8.3

Source: CONFIRM
Type: Patch
http://pypi.python.org/pypi/ZODB3/3.8.3

Source: CONFIRM
Type: Patch
http://pypi.python.org/pypi/ZODB3/3.9.0c2

Source: CCN
Type: SA36637
Zope Object Database ZEO Server Information Disclosure and File Deletion

Source: CCN
Type: OSVDB ID: 57760
Zope Object Database (ZODB) Zope Enterprise Objects (ZEO) Server Arbitrary File Manipulation

Source: CCN
Type: BID-36283
Zope Object Database ZEO Server Remote Security Bypass Vulnerability

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-2534

Source: CCN
Type: Zope Web site
Zope

Source: XF
Type: UNKNOWN
zope-file-security-bypass(53052)

Source: CCN
Type: Zope-Annce Mailing List, Tue Sep 1 06:12:13 EDT 2009
CVE-2009-2701: Releases to fix ZODB ZEO server vulnerability

Source: MLIST
Type: Patch
[zope-announce] 20090901 CVE-2009-2701: Releases to fix ZODB ZEO server vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:zope:zodb:3.8:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0b1:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0b2:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0b3:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0b4:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0b5:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.9.0c1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:zope:zodb:3.8:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zodb:3.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zope:2.11.4:*:*:*:*:*:*:*
  • OR cpe:/a:zope:zope:2.10.9:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    zope zodb 3.8
    zope zodb 3.8.0
    zope zodb 3.8.1
    zope zodb 3.8.2
    zope zodb 3.9.0
    zope zodb 3.9.0b1
    zope zodb 3.9.0b2
    zope zodb 3.9.0b3
    zope zodb 3.9.0b4
    zope zodb 3.9.0b5
    zope zodb 3.9.0c1
    zope zodb 3.8
    zope zodb 3.8.2
    zope zope 2.11.4
    zope zope 2.10.9