Vulnerabilities > CVE-2009-0668 - Unspecified vulnerability in Zope Zodb
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN zope
nessus
Summary
Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise Objects (ZEO) database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 17 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2234.NASL description Several remote vulnerabilities have been discovered in python-zodb, a set of tools for using ZODB, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0668 The ZEO server doesn last seen 2020-03-17 modified 2011-05-11 plugin id 53861 published 2011-05-11 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53861 title Debian DSA-2234-1 : zodb - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1863.NASL description Several remote vulnerabilities have been discovered in the zope, a feature-rich web application server written in python, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identified the following problems : - CVE-2009-0668 Due to a programming error an authorization method in the StorageServer component of ZEO was not used as an internal method. This allows a malicious client to bypass authentication when connecting to a ZEO server by simply calling this authorization method. - CVE-2009-0668 The ZEO server doesn last seen 2020-06-01 modified 2020-06-02 plugin id 44728 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44728 title Debian DSA-1863-1 : zope2.10/zope2.9 - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-848-1.NASL description It was discovered that the Zope Object Database (ZODB) database server (ZEO) improperly filtered certain commands when a database is shared among multiple applications or application instances. A remote attacker could send malicious commands to the server and execute arbitrary code. (CVE-2009-0668) It was discovered that the Zope Object Database (ZODB) database server (ZEO) did not handle authentication properly when a database is shared among multiple applications or application instances. A remote attacker could use this flaw to bypass security restrictions. (CVE-2009-0669) It was discovered that Zope did not limit the number of new object ids a client could request. A remote attacker could use this flaw to consume a huge amount of resources, leading to a denial of service. (No CVE identifier). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42146 published 2009-10-15 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42146 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : zope3 vulnerabilities (USN-848-1)
References
- http://mail.zope.org/pipermail/zope-announce/2009-August/002220.html
- http://secunia.com/advisories/36204
- http://pypi.python.org/pypi/ZODB3/3.8.2#whats-new-in-zodb-3-8-2
- http://secunia.com/advisories/36205
- http://osvdb.org/56827
- http://www.vupen.com/english/advisories/2009/2217
- http://www.securityfocus.com/bid/35987
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52377