Advisory Details

June 21st, 2024

(0Day) Zope CMFCore Uncontrolled Resource Consumption Denial-of-Service Vulnerability

ZDI-24-841
ZDI-CAN-21491

CVE ID
CVSS SCORE 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AFFECTED VENDORS Zope
AFFECTED PRODUCTS Zope
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Zope Application Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the contentFilter class. The issue results from uncontrolled resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the server.

ADDITIONAL DETAILS

07/13/23 – ZDI reported the vulnerability to the vendor
11/15/23 – ZDI asked for updates
12/19/23 – ZDI asked for updates
06/20/24 – ZDI notified the vendor of the intention to publish the cases as 0-day advisory

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


DISCLOSURE TIMELINE
  • 2023-07-13 - Vulnerability reported to vendor
  • 2024-06-21 - Coordinated public release of advisory
  • 2024-08-15 - Advisory Updated
CREDIT Anonymous
BACK TO ADVISORIES