Advisory Details

This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Zope Application Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the contentFilter class. The issue results from uncontrolled resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the server.

07/13/23 – ZDI reported the vulnerability to the vendor
11/15/23 – ZDI asked for updates
12/19/23 – ZDI asked for updates
06/20/24 – ZDI notified the vendor of the intention to publish the cases as 0-day advisory

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

• 2023-07-13 - Vulnerability reported to vendor
• 2024-06-21 - Coordinated public release of advisory
• 2024-08-15 - Advisory Updated