pysec - pysec-2021-368

pysec-2021-368

Vulnerability from pysec

Published

2021-08-02 22:15

Modified

2021-10-12 02:55

Details

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional Products.PythonScripts add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

Impacted products

Name	purl
zope	pkg:pypi/zope

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "zope",
        "purl": "pkg:pypi/zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f72a18dda8e9bf2aedb46168761668464a4be988"
            }
          ],
          "repo": "https://github.com/zopefoundation/Zope",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.6.3"
            },
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0",
        "4.1",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.2",
        "4.2.1",
        "4.3",
        "4.4",
        "4.4.1",
        "4.4.2",
        "4.4.3",
        "4.4.4",
        "4.5",
        "4.5.1",
        "4.5.2",
        "4.5.3",
        "4.5.4",
        "4.5.5",
        "4.6",
        "4.6.1",
        "4.6.2",
        "5.0",
        "5.1",
        "5.1.1",
        "5.1.2",
        "5.2",
        "5.2.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32811",
    "GHSA-qcx9-j53g-ccgf",
    "GHSA-g4gq-j4p2-j8fr"
  ],
  "details": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one\u0027s Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.",
  "id": "PYSEC-2021-368",
  "modified": "2021-10-12T02:55:36.218662Z",
  "published": "2021-08-02T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
    },
    {
      "type": "FIX",
      "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
    }
  ]
}

ghsa-qcx9-j53g-ccgf

Vulnerability from github

Published

2021-08-05 17:01

Modified

2024-09-03 21:13

Severity ?

4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Remote Code Execution via unsafe classes in otherwise permitted modules

Details

Impact

The module AccessControl defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of Script (Python) objects.

The policies defined in AccessControl severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's string module. However, full access to the string module also allows access to the class Formatter, which can be overridden and extended within Script (Python) in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution.

By default, you need to have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.

Patches

The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7.

Workarounds

A site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

For more information

If you have any questions or comments about this advisory: * Open an issue in the AccessControl issue tracker * Email us at security@plone.org

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "AccessControl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "AccessControl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T23:00:00Z",
    "nvd_published_at": "2021-07-30T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope\u0027s object database, such as the contents of `Script (Python)` objects. \n\nThe policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python\u0027s `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution.\n\nBy default, you need to have the admin-level Zope \"Manager\" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.\n\n### Patches\nThe problem has been fixed in AccessControl 4.3 and 5.2.\nOnly AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7.\n\n### Workarounds\nA site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [AccessControl issue tracker](https://github.com/zopefoundation/AccessControl/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n",
  "id": "GHSA-qcx9-j53g-ccgf",
  "modified": "2024-09-03T21:13:35Z",
  "published": "2021-08-05T17:01:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/commit/ae2dab0cc34e6dd1561c5b12d4a56cd140f87e1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/commit/b42dd4badf803bb9fb71ac34cd9cb0c249262f2c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/869f947e586517566509e0ccdd4d99b60704cc02"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/accesscontrol/PYSEC-2021-335.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/accesscontrol/PYSEC-2021-370.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2021-368.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zopefoundation/AccessControl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/blob/master/CHANGES.rst#51-2021-07-30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Code Execution via unsafe classes in otherwise permitted modules"
}

ghsa-g4gq-j4p2-j8fr

Vulnerability from github

Published

2021-08-05 17:00

Modified

2024-09-03 21:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Remote Code Execution via Script (Python) objects under Python 3

Details

Impact

Background: The optional add-on package Products.PythonScripts adds Script (Python) to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the RestrictedPython package to provide a "safe" subset of Python instructions as well as the AccessControl package that defines security policies for execution in the context of a Zope application.

Recently the AccessControl package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the AccessControl security policies for Zope by blocking access to unsafe classes inside the Python string module.

You are only affected if the following are true:

You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
You have installed the optional Products.PythonScripts add-on package

By default, you need to have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.

Patches

The problem has been fixed in AccessControl versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new AccessControl releases.

Workarounds

A site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

References

AccessControl security advisory GHSA-qcx9-j53g-ccgf

For more information

If you have any questions or comments about this advisory: * Open an issue in the Zope issue tracker * Email us at security@plone.org

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T22:57:25Z",
    "nvd_published_at": "2021-08-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nBackground: The optional add-on package `Products.PythonScripts` adds `Script (Python)` to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the `RestrictedPython` package to provide a \"safe\" subset of Python instructions as well as the `AccessControl` package that defines security policies for execution in the context of a Zope application.\n\nRecently the `AccessControl` package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the `AccessControl` security policies for Zope by blocking access to unsafe classes inside the Python `string` module.\n\nYou are only affected if the following are true:\n\n- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)\n- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3\n- You have installed the optional `Products.PythonScripts` add-on package\n\nBy default, you need to have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.\n\n### Patches\nThe problem has been fixed in `AccessControl` versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new `AccessControl` releases.\n\n### Workarounds\nA site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n### References\n* [AccessControl security advisory GHSA-qcx9-j53g-ccgf](https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Zope issue tracker](https://github.com/zopefoundation/Zope/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n\n",
  "id": "GHSA-g4gq-j4p2-j8fr",
  "modified": "2024-09-03T21:14:03Z",
  "published": "2021-08-05T17:00:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/869f947e586517566509e0ccdd4d99b60704cc02"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2021-368.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zopefoundation/Zope"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Code Execution via Script (Python) objects under Python 3"
}

CVE-2021-32811 (GCVE-0-2021-32811)

Vulnerability from cvelistv5

Published

2021-08-02 21:55

Modified

2024-08-03 23:33

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Summary

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

References

►

URL

Tags

	https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr	x_refsource_CONFIRM
	https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf	x_refsource_MISC
	https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	zopefoundation	Zope	Version: >= 4.0, < 4.6.3 Version: >= 5.0, < 5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:55.955Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zope",
          "vendor": "zopefoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0, \u003c 4.6.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0, \u003c 5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one\u0027s Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-02T21:55:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
        }
      ],
      "source": {
        "advisory": "GHSA-g4gq-j4p2-j8fr",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via Script (Python) objects under Python 3",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32811",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via Script (Python) objects under Python 3"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 4.0, \u003c 4.6.3"
                          },
                          {
                            "version_value": "\u003e= 5.0, \u003c 5.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "zopefoundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one\u0027s Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr",
              "refsource": "CONFIRM",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
            },
            {
              "name": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-g4gq-j4p2-j8fr",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32811",
    "datePublished": "2021-08-02T21:55:11",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:33:55.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

pysec-2021-368

Vulnerability from pysec

ghsa-qcx9-j53g-ccgf

Vulnerability from github

Impact

Patches

Workarounds

For more information

ghsa-g4gq-j4p2-j8fr

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

CVE-2021-32811 (GCVE-0-2021-32811)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature