VulnerableCode Package Details - pkg:pypi/accesscontrol@4.0a2

Search for packages

Vulnerability	Summary	Fixed by
VCID-fwdt-q5s4-tud3 Aliases: CVE-2024-51734 GHSA-g5vw-3h65-2q3v	Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.	7.2 Affected by 0 other vulnerabilities.
VCID-w64j-gt6v-mfc7 Aliases: CVE-2023-41050 GHSA-8xv7-89vj-q48c	AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.	4.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.8 Affected by 0 other vulnerabilities. 6.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-fwdt-q5s4-tud3
Aliases:
CVE-2024-51734
GHSA-g5vw-3h65-2q3v

Zope AccessControl provides a general security framework for use in Zope. In affected versions anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access. This problem has been fixed in version 7.2. Users are advised to upgrade. Users unable to upgrade may address the issue by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

7.2
Affected by 0 other vulnerabilities.

VCID-w64j-gt6v-mfc7
Aliases:
CVE-2023-41050
GHSA-8xv7-89vj-q48c

AccessControl provides a general security framework for use in Zope. Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure. `AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe. Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it. A fix has been introduced in versions 4.4, 5.8 and 6.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

4.4
Affected by 1 other vulnerability.

5.8
Affected by 0 other vulnerabilities.

6.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:45:02.309760+00:00	GitLab Importer	Affected by	VCID-fwdt-q5s4-tud3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/AccessControl/CVE-2024-51734.yml	38.6.0
2026-06-12T19:04:32.400031+00:00	GitLab Importer	Affected by	VCID-w64j-gt6v-mfc7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/AccessControl/CVE-2023-41050.yml	38.6.0

2026-06-12T19:45:02.309760+00:00

GitLab Importer

Affected by

VCID-fwdt-q5s4-tud3

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/AccessControl/CVE-2024-51734.yml

38.6.0

2026-06-12T19:04:32.400031+00:00

GitLab Importer

Affected by

VCID-w64j-gt6v-mfc7

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/AccessControl/CVE-2023-41050.yml

38.6.0

Next non-vulnerable version	7.2
Latest non-vulnerable version	7.2
Risk	4.1