Vulnerability Details CVE-2021-32811
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.039
EPSS Ranking 87.7%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.5
References
- https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf
- https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
- https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf
- https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
- https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
Products affected by CVE-2021-32811
-
cpe:2.3:a:zope:accesscontrol:4.0
-
cpe:2.3:a:zope:accesscontrol:4.1
-
cpe:2.3:a:zope:accesscontrol:4.2
-
cpe:2.3:a:zope:accesscontrol:5.0
-
cpe:2.3:a:zope:accesscontrol:5.1
-
cpe:2.3:a:zope:zope:4.0
-
cpe:2.3:a:zope:zope:4.1
-
cpe:2.3:a:zope:zope:4.1.1
-
cpe:2.3:a:zope:zope:4.1.2
-
cpe:2.3:a:zope:zope:4.1.3
-
cpe:2.3:a:zope:zope:4.2
-
cpe:2.3:a:zope:zope:4.2.1
-
cpe:2.3:a:zope:zope:4.3
-
cpe:2.3:a:zope:zope:4.4
-
cpe:2.3:a:zope:zope:4.4.1
-
cpe:2.3:a:zope:zope:4.4.2
-
cpe:2.3:a:zope:zope:4.4.3
-
cpe:2.3:a:zope:zope:4.4.4
-
cpe:2.3:a:zope:zope:4.5
-
cpe:2.3:a:zope:zope:4.5.1
-
cpe:2.3:a:zope:zope:4.5.2
-
cpe:2.3:a:zope:zope:4.5.3
-
cpe:2.3:a:zope:zope:4.5.4
-
cpe:2.3:a:zope:zope:4.5.5
-
cpe:2.3:a:zope:zope:4.6
-
cpe:2.3:a:zope:zope:4.6.1
-
cpe:2.3:a:zope:zope:5.0
-
cpe:2.3:a:zope:zope:5.1
-
cpe:2.3:a:zope:zope:5.1.1
-
cpe:2.3:a:zope:zope:5.1.2
-
cpe:2.3:a:zope:zope:5.2
-
cpe:2.3:a:zope:zope:5.2.1