Jim Fulton

**Name of the Vulnerable Software and Affected Versions** Zope Object Database (ZODB) versions 3.8.0 through 3.8.2 Zope Object Database (ZODB) versions 3.9.x prior to 3.9.0c2 **Description** The issue affects the Zope Enterprise Objects (ZEO) storage-server functionality in Zope Object Database (ZODB). When certain ZEO database sharing and blob support are enabled, remote authenticated users can read or delete arbitrary files via unknown vectors. **Recommendations** For Zope Object Database (ZODB) versions 3.8.0 through 3.8.2, update to version 3.8.3 or later. For Zope Object Database (ZODB) versions 3.9.x prior to 3.9.0c2, update to version 3.9.0c2 or later.

**Name of the Vulnerable Software and Affected Versions** Zope2 versions 2.7.0 through 2.7.9 Zope2 versions 2.8.0 through 2.8.8 **Description** The issue is related to the docutils module in Zope2, which does not properly handle web pages with reStructuredText (reST) markup. This allows remote attackers to read arbitrary files via a csv table directive. **Recommendations** For Zope2 versions 2.7.0 through 2.7.9, update to a version that properly handles reST markup to prevent exploitation. For Zope2 versions 2.8.0 through 2.8.8, update to a version that properly handles reST markup to prevent exploitation. As a temporary workaround, consider disabling the csv table directive in the docutils module until a patch is available.