cbcvebase.
CVE-2023-37271
published 2023-07-11

CVE-2023-37271: RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment…

PriorityP262critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.77%
50.9th percentile
RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope Page Template`. This is a non-default configuration and likely to be extremely rare. The problem has been fixed in versions 6.1 and 5.3.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianrestrictedpython< restrictedpython 6.2-1 (forky)restrictedpython 6.2-1 (forky)
zoperestrictedpython< 5.35.3
zoperestrictedpython
zopefoundationrestrictedpython< 5.35.3
zopefoundationrestrictedpython
zopefoundationrestrictedpython>= 0 < 6.2-16.2-1
zopefoundationrestrictedpython>= 0 < 6.2-16.2-1
zopefoundationrestrictedpython>= 0 < 5.35.3
zopefoundationrestrictedpython>= 0 < 4.0~b3-2ubuntu0.1~esm14.0~b3-2ubuntu0.1~esm1
zopefoundationrestrictedpython>= 0 < 4.0~b3-3ubuntu0.1~esm14.0~b3-3ubuntu0.1~esm1
zopefoundationrestrictedpython>= 0 < 6.2-1ubuntu0.24.04.1~esm16.2-1ubuntu0.24.04.1~esm1
zopefoundationrestrictedpython>= 6.0a1.dev0 < 6.16.1

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector uses generator or generator expression constructs to access the current stack frame (`gi_frame`) and walk up the call stack beyond the RestrictedPython sandbox boundary — monitor for use of frame-walking attributes (e.g., `f_back`, `gi_frame`) inside RestrictedPython-evaluated code.
  • Audit untrusted user-editable Zope/Plone object types — `Script (Python)`, `DTML Method`, `DTML Document`, and `Zope Page Template` — as these are the surfaces through which exploit code would be submitted.
  • Stack frame access is not blocked in RestrictedPython prior to versions 6.1 and 5.3; flag any RestrictedPython deployment running versions below these thresholds as vulnerable.
  • ·Exploitation requires a non-default configuration where untrusted users are permitted to write Python code in the RestrictedPython environment; default deployments are not at risk.
  • ·All RestrictedPython deployments that permit untrusted user code submission are in scope, not just Zope/Plone.
  • ·On Debian, bookworm and bullseye remain open (unpatched); forky, sid, and trixie are resolved at version 6.2-1.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian8.4HIGH
vendor_ubuntu8.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.