Vulnerability-Lookup

CVE-2021-32633 (GCVE-0-2021-32633)

Vulnerability from cvelistv5 – Published: 2021-05-21 13:55 – Updated: 2024-08-03 23:25

Title

Remote Code Execution via traversal in TAL expressions

Summary

Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/zopefoundation/Zope/security/a…	x_refsource_CONFIRM
	https://github.com/zopefoundation/Zope/commit/1f8…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/05/21/1	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2021/05/22/1	mailing-listx_refsource_MLIST
	https://cyllective.com/blog/post/plone-authentica…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	zopefoundation	Zope	Affected: < 4.6 Affected: >= 5.0, < 5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:30.947Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
          },
          {
            "name": "[oss-security] 20210521 Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
          },
          {
            "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zope",
          "vendor": "zopefoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0, \u003c 5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-29T11:47:33.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
        },
        {
          "name": "[oss-security] 20210521 Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
        },
        {
          "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
        }
      ],
      "source": {
        "advisory": "GHSA-5pr9-v234-jw36",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via traversal in TAL expressions",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32633",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via traversal in TAL expressions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6"
                          },
                          {
                            "version_value": "\u003e= 5.0, \u003c 5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "zopefoundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
              "refsource": "CONFIRM",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
            },
            {
              "name": "[oss-security] 20210521 Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
            },
            {
              "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
            },
            {
              "name": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/",
              "refsource": "MISC",
              "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-5pr9-v234-jw36",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32633",
    "datePublished": "2021-05-21T13:55:10.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2024-08-03T23:25:30.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

PYSEC-2021-88

Vulnerability from pysec - Published: 2021-05-21 14:15 - Updated: 2021-06-02 03:47

Details

Impacted products

Name	purl
zope	pkg:pypi/zope

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "zope",
        "purl": "pkg:pypi/zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1f8456bf1f908ea46012537d52bd7e752a532c91"
            }
          ],
          "repo": "https://github.com/zopefoundation/Zope",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6"
            },
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0",
        "4.0b1",
        "4.0b10",
        "4.0b2",
        "4.0b3",
        "4.0b4",
        "4.0b5",
        "4.0b6",
        "4.0b7",
        "4.0b8",
        "4.0b9",
        "4.1",
        "4.1.1",
        "4.1.2",
        "4.1.3",
        "4.2",
        "4.2.1",
        "4.3",
        "4.4",
        "4.4.1",
        "4.4.2",
        "4.4.3",
        "4.4.4",
        "4.5",
        "4.5.1",
        "4.5.2",
        "4.5.3",
        "4.5.4",
        "4.5.5",
        "5.0",
        "5.1",
        "5.1.1",
        "5.1.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32633",
    "GHSA-5pr9-v234-jw36",
    "GHSA-962m-m8jw-8wrr"
  ],
  "details": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.",
  "id": "PYSEC-2021-88",
  "modified": "2021-06-02T03:47:57.190321Z",
  "published": "2021-05-21T14:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-962m-m8jw-8wrr"
    }
  ]
}

FKIE_CVE-2021-32633

Vulnerability from fkie_nvd - Published: 2021-05-21 14:15 - Updated: 2024-11-21 06:07

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List, Third Party Advisory
security-advisories@github.com	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List, Third Party Advisory
security-advisories@github.com	https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36	Third Party Advisory

Impacted products

Vendor	Product	Version
plone	plone	*
plone	plone	*
zope	zope	*
zope	zope	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "801F96D6-B2E2-4BA9-9208-7DB0B327BB93",
              "versionEndIncluding": "4.3.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669",
              "versionEndIncluding": "5.2.4",
              "versionStartIncluding": "5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AED4C9A0-041A-4646-B34B-901DD7EA0652",
              "versionEndExcluding": "4.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "34E88218-F6D6-45B7-B3CC-F97EF7FA2E22",
              "versionEndExcluding": "5.2",
              "versionStartIncluding": "5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
    },
    {
      "lang": "es",
      "value": "Zope es un servidor de aplicaciones web de c\u00f3digo abierto.\u0026#xa0;En las versiones de Zope anteriores a 4.6 y 5.2, los usuarios pueden acceder a m\u00f3dulos que no son confiables indirectamente por medio de m\u00f3dulos de Python que est\u00e1n disponibles para uso directo.\u0026#xa0;Por defecto, solo los usuarios con la funci\u00f3n de administrador pueden agregar o editar Zope Page Templates por medio de la web, pero los sitios que permiten a usuarios no confiables agregar y editar plantillas de p\u00e1gina de Zope por medio de la web est\u00e1n en riesgo de esta vulnerabilidad.\u0026#xa0;El problema se ha solucionado en Zope versiones 5.2 y 4.6.\u0026#xa0;Como soluci\u00f3n alternativa, un administrador del sitio puede restringir la adici\u00f3n y edici\u00f3n de plantillas de p\u00e1gina Zope por medio de la web utilizando los mecanismos est\u00e1ndar de permisos user/role de Zope. Usuarios no confiables no debe ser asignado el rol de administrador de Zope y Zope Page Templates de adici\u00f3n y edici\u00f3n por medio de la web debe estar restringida solo a usuarios confiables"
    }
  ],
  "id": "CVE-2021-32633",
  "lastModified": "2024-11-21T06:07:25.347",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-21T14:15:07.977",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-32633

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-32633

Aliases

CVE-2021-32633

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32633",
    "description": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.",
    "id": "GSD-2021-32633"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32633"
      ],
      "details": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.",
      "id": "GSD-2021-32633",
      "modified": "2023-12-13T01:23:08.782497Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32633",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution via traversal in TAL expressions"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Zope",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 4.6"
                        },
                        {
                          "version_value": "\u003e= 5.0, \u003c 5.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "zopefoundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
            "refsource": "CONFIRM",
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
          },
          {
            "name": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91",
            "refsource": "MISC",
            "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
          },
          {
            "name": "[oss-security] 20210521 Plone security hotfix 20210518",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
          },
          {
            "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
          },
          {
            "name": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/",
            "refsource": "MISC",
            "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5pr9-v234-jw36",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=4.3.20||\u003e=5.0,\u003c=5.2.4",
          "affected_versions": "All versions up to 4.3.20, all versions starting from 5.0 up to 5.2.4",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2022-04-06",
          "description": "Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.",
          "fixed_versions": [
            "5.2.5"
          ],
          "identifier": "CVE-2021-32633",
          "identifiers": [
            "CVE-2021-32633",
            "GHSA-5pr9-v234-jw36"
          ],
          "not_impacted": "All versions after 4.3.20 before 5.0, all versions after 5.2.4",
          "package_slug": "pypi/Plone",
          "pubdate": "2021-05-21",
          "solution": "Upgrade to version 5.2.5 or above.",
          "title": "Path Traversal",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32633"
          ],
          "uuid": "fd402a84-32fe-4da0-a7fc-a1eb8353049b"
        },
        {
          "affected_range": "\u003c4.6||\u003e=5.0,\u003c5.2",
          "affected_versions": "All versions before 4.6, all versions starting from 5.0 before 5.2",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2022-04-06",
          "description": "Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.",
          "fixed_versions": [
            "4.6",
            "5.2"
          ],
          "identifier": "CVE-2021-32633",
          "identifiers": [
            "CVE-2021-32633",
            "GHSA-5pr9-v234-jw36"
          ],
          "not_impacted": "All versions starting from 4.6 before 5.0, all versions starting from 5.2",
          "package_slug": "pypi/zope",
          "pubdate": "2021-05-21",
          "solution": "Upgrade to versions 4.6, 5.2 or above.",
          "title": "Path Traversal",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32633"
          ],
          "uuid": "50efdf83-6c1c-47df-b746-46e90f5168a5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.3.20",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.2.4",
                "versionStartIncluding": "5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2",
                "versionStartIncluding": "5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32633"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
            },
            {
              "name": "[oss-security] 20210521 Plone security hotfix 20210518",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
            },
            {
              "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
            },
            {
              "name": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-04-06T17:48Z",
      "publishedDate": "2021-05-21T14:15Z"
    }
  }
}

GHSA-5PR9-V234-JW36

Vulnerability from github – Published: 2021-06-18 18:44 – Updated: 2024-11-19 18:29

Summary

Remote Code Execution via traversal in TAL expressions

Details

Impact

Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use.

By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk.

Patches

The problem has been fixed in Zope 5.2 and 4.6.

Workarounds

A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

For more information

If you have any questions or comments about this advisory: * Open an issue in the Zope issue tracker * Email us at security@plone.org

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

7.6 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T16:26:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nMost Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the \u0027os\u0027 module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use.\n\nBy default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk.\n\n### Patches\nThe problem has been fixed in Zope 5.2 and 4.6.\n\n### Workarounds\nA site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Zope issue tracker](https://github.com/zopefoundation/Zope/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n",
  "id": "GHSA-5pr9-v234-jw36",
  "modified": "2024-11-19T18:29:40Z",
  "published": "2021-06-18T18:44:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
    },
    {
      "type": "WEB",
      "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2021-88.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zopefoundation/Zope"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Code Execution via traversal in TAL expressions"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-32633 (GCVE-0-2021-32633)

PYSEC-2021-88

FKIE_CVE-2021-32633

GSD-2021-32633

GHSA-5PR9-V234-JW36

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature