cbcvebase.
CVE-2021-32811
published 2021-08-02

CVE-2021-32811: Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be…

PriorityP346high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
2.28%
80.9th percentile
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

Affected

12 ranges
VendorProductVersion rangeFixed in
zopeaccesscontrol>= 4.0 < 4.34.3
zopeaccesscontrol>= 5.0 < 5.25.2
zopezope>= 0 < f72a18dda8e9bf2aedb46168761668464a4be988f72a18dda8e9bf2aedb46168761668464a4be988
zopezope>= 4.0 < 4.6.34.6.3
zopezope>= 4.0 < 4.6.34.6.3
zopezope>= 5.0 < 5.35.3
zopezope>= 5.0 < 5.35.3
zopefoundationaccesscontrol>= 0 < b42dd4badf803bb9fb71ac34cd9cb0c249262f2cb42dd4badf803bb9fb71ac34cd9cb0c249262f2c
zopefoundationaccesscontrol>= 4.0 < 4.34.3
zopefoundationaccesscontrol>= 5.0 < 5.25.2
zopefoundationzope
zopefoundationzope

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.