CVE-2023-41050

Name of the Vulnerable Software and Affected Versions AccessControl versions prior to 4.4 AccessControl versions prior to 5.8 AccessControl versions prior to 6.2

Description The issue arises from Python's "format" functionality, which allows someone controlling the format string to access objects via attribute access and subscription. This can lead to critical information disclosure because the attribute accesses and subscriptions use Python's full-blown getattr and getitem, rather than the policy-restricted AccessControl variants getattr and getitem. AccessControl provides a safe variant for str.format and denies access to string.Formatter, but str.format map remains unsafe. Users who allow untrusted users to create and execute AccessControl controlled Python code are affected.

Recommendations For versions prior to 4.4, upgrade to version 4.4 or later. For versions prior to 5.8, upgrade to version 5.8 or later. For versions prior to 6.2, upgrade to version 6.2 or later. As a temporary workaround, consider restricting access to str.format map until a patch is available.