Advisories for Pypi/AccessControl package

Anonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access.

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown getattr and getitem, not the policy restricted AccessControl variants getattr and getitem. This can lead to critical information disclosure. AccessControl already provides a safe variant for str.format and denies …

The module AccessControl defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of Script (Python) objects. The policies defined in AccessControl severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's string module. However, full access to the string module also allows access …

Zope is an open-source web application server. Zope versions have a remote code execution security issue.