CVE-2021-32811

EPSS 3.93%
Published 02.08.2021 22:15:08
Last modified 21.11.2024 06:07:47
Source security-advisories@github.com
Teams watchlist Login
Open Login

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

Affected products Warnungen 0 Metrics 4 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Zope ≫ Accesscontrol Version >= 4.0 < 4.3

Zope ≫ Accesscontrol Version >= 5.0 < 5.2

Zope ≫ Zope Version >= 4.0 < 4.6.3

Zope ≫ Zope Version >= 5.0 < 5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.93%	0.872

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf

Third Party Advisory

https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988

Patch

Third Party Advisory

https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32811

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32811

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32811

EUVD