Vulnerability Description
Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of `Products.CMFCore`, such as Plone. All deployments are vulnerable. The code has been fixed in `Products.CMFCore` version 3.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zope | Products.Cmfcore | < 3.2 |
Related Weaknesses (CWE)
References
- https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8MitigationPatchVendor Advisory
- https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpjVendor Advisory
- https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8MitigationPatchVendor Advisory
- https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpjVendor Advisory
FAQ
What is CVE-2023-36814?
CVE-2023-36814 is a vulnerability with a CVSS score of 7.5 (HIGH). Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on `PortalFolder` objec...
How severe is CVE-2023-36814?
CVE-2023-36814 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-36814?
Check the references section above for vendor advisories and patch information. Affected products include: Zope Products.Cmfcore.