cbcvebase.
CVE-2021-32807
published 2021-07-30

CVE-2021-32807: The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides…

PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.03%
78.6th percentile
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

Affected

10 ranges
VendorProductVersion rangeFixed in
zopeaccesscontrol>= 4.0 < 4.34.3
zopeaccesscontrol>= 5.0 < 5.25.2
zopezope>= 0 < f72a18dda8e9bf2aedb46168761668464a4be988f72a18dda8e9bf2aedb46168761668464a4be988
zopezope>= 4.0 < 4.6.34.6.3
zopezope>= 5.0 < 5.35.3
zopefoundationaccesscontrol
zopefoundationaccesscontrol
zopefoundationaccesscontrol>= 0 < b42dd4badf803bb9fb71ac34cd9cb0c249262f2cb42dd4badf803bb9fb71ac34cd9cb0c249262f2c
zopefoundationaccesscontrol>= 4.0 < 4.34.3
zopefoundationaccesscontrol>= 5.0 < 5.25.2

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.