CVE-2023-36814: 
Python vulnerability analysis and mitigation

Products.CMFCore, a key framework service for the Zope Content Management Framework (CMF), was found to contain a vulnerability (CVE-2023-36814) discovered in July 2023. The vulnerability stems from the unchecked use of Python's marshal module in handling input through a public method on PortalFolder objects. This vulnerability affects all portal software built on top of Products.CMFCore, including Plone, making all deployments vulnerable (GitHub Advisory).

The vulnerability exists in the decodeFolderFilter method of PortalFolder objects, which uses Python's marshal module to process unchecked input. The method is exposed publicly and the input is not under proper control, which can lead to security issues. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to an unauthenticated denial of service and system crash situation. Since the affected code is exposed by all portal software built on top of Products.CMFCore, including Plone, the impact is widespread across all deployments (GitHub Advisory).

The vulnerability has been fixed in Products.CMFCore version 3.2. As a workaround, users can make the affected decodeFolderFilter method unreachable by editing the PortalFolder.py module in Products.CMFCore manually. This involves removing both the @security.public decorator for decodeFolderFilter and the method's entire docstring from line 233 of PortalFolder.py, followed by a Zope restart. This workaround is safe as the method is not used by current code (GitHub Advisory).