CVE-2006-3458
First published: Fri Jul 07 2006(Updated: )
Zope 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3 (Zope2) does not disable the "raw" command when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows local users to read arbitrary files.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Zope2 | >=2.9.0<2.9.3 | 2.9.3 |
| pip/Zope2 | >=2.8.0<2.8.7 | 2.8.7 |
| pip/Zope2 | >=2.7.0<2.7.8 | 2.7.8 |
| Zope ZODB | =2.7.0 | |
| Zope ZODB | =2.7.1 | |
| Zope ZODB | =2.7.2 | |
| Zope ZODB | =2.7.3 | |
| Zope ZODB | =2.7.4 | |
| Zope ZODB | =2.7.5 | |
| Zope ZODB | =2.7.6 | |
| Zope ZODB | =2.7.7 | |
| Zope ZODB | =2.7.8 | |
| Zope ZODB | =2.8.0 | |
| Zope ZODB | =2.8.1 | |
| Zope ZODB | =2.8.2 | |
| Zope ZODB | =2.8.3 | |
| Zope ZODB | =2.8.4 | |
| Zope ZODB | =2.8.5 | |
| Zope ZODB | =2.8.6 | |
| Zope ZODB | =2.8.7 | |
| Zope ZODB | =2.9.0 | |
| Zope ZODB | =2.9.1 | |
| Zope ZODB | =2.9.2 | |
| Zope ZODB | =2.9.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-20060705/README.txt
- http://secunia.com/advisories/20988
- http://mail.zope.org/pipermail/zope-announce/2006-July/001984.html
- http://www.securityfocus.com/bid/18856
- http://secunia.com/advisories/21025
- http://www.debian.org/security/2006/dsa-1113
- http://secunia.com/advisories/21130
- http://www.novell.com/linux/security/advisories/2006_19_sr.html
- http://secunia.com/advisories/21459
- http://www.vupen.com/english/advisories/2006/2681
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27636
- https://usn.ubuntu.com/317-1/
- https://nvd.nist.gov/vuln/detail/CVE-2006-3458
- https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2006-7.yaml
- https://usn.ubuntu.com/317-1
- https://github.com/advisories/GHSA-jcjp-qqpq-pc54 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2006-3458?
CVE-2006-3458 is considered a moderate vulnerability due to its potential for local users to access arbitrary files.
How do I fix CVE-2006-3458?
To fix CVE-2006-3458, upgrade to Zope2 versions 2.7.8, 2.8.7, or 2.9.3.
Which versions are affected by CVE-2006-3458?
CVE-2006-3458 affects Zope2 versions 2.7.0 to 2.7.8, 2.8.0 to 2.8.7, and 2.9.0 to 2.9.3.
What type of attack does CVE-2006-3458 enable?
CVE-2006-3458 enables local users to read arbitrary files on the system.
Is CVE-2006-3458 related to user permissions?
Yes, CVE-2006-3458 exploits insufficient restrictions on commands available to untrusted users.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jcjp-qqpq-pc54
- alias/CVE-2006-3458
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/author
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- package-manager/pip
- vendor/zope
- canonical/zope zodb
- version/zope zodb/2.7.0
- version/zope zodb/2.7.1
- version/zope zodb/2.7.2
- version/zope zodb/2.7.3
- version/zope zodb/2.7.4
- version/zope zodb/2.7.5
- version/zope zodb/2.7.6
- version/zope zodb/2.7.7
- version/zope zodb/2.7.8
- version/zope zodb/2.8.0
- version/zope zodb/2.8.1
- version/zope zodb/2.8.2
- version/zope zodb/2.8.3
- version/zope zodb/2.8.4
- version/zope zodb/2.8.5
- version/zope zodb/2.8.6
- version/zope zodb/2.8.7
- version/zope zodb/2.9.0
- version/zope zodb/2.9.1
- version/zope zodb/2.9.2
- version/zope zodb/2.9.3