CVE-2023-41050: 
Python vulnerability analysis and mitigation

CVE-2023-41050 affects AccessControl, a general security framework used in Zope. The vulnerability was disclosed on September 6, 2023, and impacts versions prior to 4.4, 5.0-5.8, and 6.0-6.2. The issue relates to Python's format functionality, specifically the unsafe implementation of str.format_map (GitHub Advisory).

The vulnerability stems from Python's format functionality allowing users who control the format string to read objects accessible through attribute access and subscription from accessible objects. While AccessControl provides safe variants for str.format and blocks access to string.Formatter, the str.format_map remained unsafe. The attribute accesses and subscriptions use Python's full getattr and getitem instead of AccessControl's policy-restricted _getattr_ and _getitem_ variants (GitHub Advisory).

This vulnerability can lead to critical information disclosure in systems where untrusted users are allowed to create and execute AccessControl-controlled Python code. The CVSS v3.1 base score is 7.7 HIGH according to NVD, with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating high confidentiality impact (NVD).

The vulnerability has been fixed in AccessControl versions 4.4, 5.8, and 6.2. Users are strongly advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (GitHub Advisory).