Vulnerability Details : CVE-2021-32811
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.
Vulnerability category: Execute code
Products affected by CVE-2021-32811
- cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*
- cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*
- cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*
- cpe:2.3:a:zope:accesscontrol:*:*:*:*:*:*:*:*
Threat overview for CVE-2021-32811
Top countries where our scanners detected CVE-2021-32811
Top open port discovered on systems with this issue
443
IPs affected by CVE-2021-32811 9
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-32811!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-32811
1.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32811
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2021-32811
-
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.Assigned by: security-advisories@github.com (Secondary)
-
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-32811
-
https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
Remote Code Execution via Script (Python) objects under Python 3 · Advisory · zopefoundation/Zope · GitHubThird Party Advisory
-
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf
Remote Code Execution via unsafe classes in otherwise permitted modules · Advisory · zopefoundation/AccessControl · GitHubThird Party Advisory
-
https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
Merge pull request from GHSA-g4gq-j4p2-j8fr · zopefoundation/Zope@f72a18d · GitHubPatch;Third Party Advisory
Jump to