CVE - CVE-2021-32811

CVE-ID
CVE-2021-32811	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr URL:https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr MISC:https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf URL:https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf MISC:https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988 URL:https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20210512	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210512)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)