CVE-2021-32674 - OpenCVE

Vendors	Products
Zope	Zope

Link	Providers
https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21
https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36
https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6
https://pypi.org/project/Zope/

{"containers": {"cna": {"affected": [{"product": "Zope", "vendor": "zopefoundation", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.2.1"}, {"status": "affected", "version": "< 4.6.1"}]}], "descriptions": [{"lang": "en", "value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-17T16:29:37", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"}, {"tags": ["x_refsource_MISC"], "url": "https://pypi.org/project/Zope/"}], "source": {"advisory": "GHSA-rpcg-f9q6-2mq6", "discovery": "UNKNOWN"}, "title": "Remote Code Execution via traversal in TAL expressions", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32674", "STATE": "PUBLIC", "TITLE": "Remote Code Execution via traversal in TAL expressions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zope", "version": {"version_data": [{"version_value": ">= 5.0.0, < 5.2.1"}, {"version_value": "< 4.6.1"}]}}]}, "vendor_name": "zopefoundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6", "refsource": "CONFIRM", "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"}, {"name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36", "refsource": "MISC", "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"}, {"name": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21", "refsource": "MISC", "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"}, {"name": "https://pypi.org/project/Zope/", "refsource": "MISC", "url": "https://pypi.org/project/Zope/"}]}, "source": {"advisory": "GHSA-rpcg-f9q6-2mq6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:31.128Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pypi.org/project/Zope/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32674", "datePublished": "2021-06-08T17:45:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:31.128Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*", "matchCriteriaId": "712BA8E7-7A6A-45C3-956C-50A504307324", "versionEndExcluding": "4.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*", "matchCriteriaId": "A81939E1-6719-4032-960C-4B181E9E4E28", "versionEndExcluding": "5.2.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."}, {"lang": "es", "value": "Zope es un servidor de aplicaciones web de c\u00f3digo abierto. Este aviso ampl\u00eda el aviso anterior en https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 con casos adicionales de vulnerabilidades de cruce de expresiones TAL. La mayor\u00eda de los m\u00f3dulos de Python no est\u00e1n disponibles para su uso en expresiones TAL que se pueden a\u00f1adir a trav\u00e9s de la web, por ejemplo en las plantillas de p\u00e1ginas de Zope. Esta restricci\u00f3n evita el acceso al sistema de archivos, por ejemplo a trav\u00e9s del m\u00f3dulo 'os'. Pero algunos de los m\u00f3dulos no confiables est\u00e1n disponibles indirectamente a trav\u00e9s de los m\u00f3dulos de Python que est\u00e1n disponibles para su uso directo. Por defecto, es necesario tener el rol de Administrador para a\u00f1adir o editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web. S\u00f3lo los sitios que permiten a los usuarios no confiables a\u00f1adir/editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web est\u00e1n en riesgo. El problema se ha solucionado en Zope versiones 5.2.1 y 4.6.1. La soluci\u00f3n es la misma que para https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: Un administrador del sitio puede restringir la adici\u00f3n/edici\u00f3n de Plantillas de P\u00e1gina Zope a trav\u00e9s de la web utilizando los mecanismos est\u00e1ndar de permisos de usuario/rol de Zope. A los usuarios que no sean de confianza no se les debe asignar el rol de Gestor de Zope y a\u00f1adir/editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web debe estar restringido s\u00f3lo a los usuarios de confianza"}], "id": "CVE-2021-32674", "lastModified": "2022-01-21T14:42:58.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2021-06-08T18:15:08.307", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://pypi.org/project/Zope/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object