CVE-2021-32811 - OpenCVE

Vendors	Products
Zope	Accesscontrol Zope

Link	Providers
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf
https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr

{"containers": {"cna": {"affected": [{"product": "Zope", "vendor": "zopefoundation", "versions": [{"status": "affected", "version": ">= 4.0, < 4.6.3"}, {"status": "affected", "version": ">= 5.0, < 5.3"}]}], "descriptions": [{"lang": "en", "value": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-02T21:55:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"}], "source": {"advisory": "GHSA-g4gq-j4p2-j8fr", "discovery": "UNKNOWN"}, "title": "Remote Code Execution via Script (Python) objects under Python 3", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32811", "STATE": "PUBLIC", "TITLE": "Remote Code Execution via Script (Python) objects under Python 3"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zope", "version": {"version_data": [{"version_value": ">= 4.0, < 4.6.3"}, {"version_value": ">= 5.0, < 5.3"}]}}]}, "vendor_name": "zopefoundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}]}, "references": {"reference_data": [{"name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr", "refsource": "CONFIRM", "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"}, {"name": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf", "refsource": "MISC", "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"}, {"name": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988", "refsource": "MISC", "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"}]}, "source": {"advisory": "GHSA-g4gq-j4p2-j8fr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:55.955Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32811", "datePublished": "2021-08-02T21:55:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:55.955Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*", "matchCriteriaId": "8538D35C-EA69-4A87-8DBB-D6522F8C7422", "versionEndExcluding": "4.3", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*", "matchCriteriaId": "34F2C931-DCB6-4326-BBDF-2E9B13946D55", "versionEndExcluding": "5.2", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*", "matchCriteriaId": "30CF6645-50E3-42F0-8E21-8476237210C8", "versionEndExcluding": "4.6.3", "versionStartIncluding": "4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*", "matchCriteriaId": "63A55EE7-7617-407F-83AB-219EA3769E61", "versionEndExcluding": "5.3", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope."}, {"lang": "es", "value": "Zope es un servidor de aplicaciones web de c\u00f3digo abierto. Zope versiones anteriores a 4.6.3 y 5.3 tienen un problema de seguridad de ejecuci\u00f3n de c\u00f3digo remota . Para ser afectado, uno debe usar Python 3 para su despliegue de Zope, ejecutar Zope 4 por debajo de la versi\u00f3n 4.6.3 o Zope 5 por debajo de la versi\u00f3n 5.3, y tener el paquete adicional opcional \"Products.PythonScripts\" instalado. Por defecto, hay que tener el rol de \"Manager\" de Zope a nivel de administrador para a\u00f1adir o editar objetos Script (Python) mediante la web. S\u00f3lo los sitios que permiten a usuarios no confiables a\u00f1adir/editar estos scripts mediante la web est\u00e1n en riesgo. Zope versiones 4.6.3 y 5.3 no son vulnerables. Como soluci\u00f3n, el administrador del sitio puede restringir la adici\u00f3n/edici\u00f3n de objetos Script (Python) mediante la web usando los mecanismos est\u00e1ndar de permisos de usuario/rol de Zope. Los usuarios que no son de confianza no se les deber\u00eda asignar el rol de Administrador de Zope y a\u00f1adir/editar estos scripts mediante la web deber\u00eda estar restringido s\u00f3lo a usuarios de confianza. Esta es la configuraci\u00f3n predeterminada en Zope"}], "id": "CVE-2021-32811", "lastModified": "2022-12-02T19:35:29.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-02T22:15:08.333", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object