CVE-2021-32674
Vulnerability from cvelistv5
Published
2021-06-08 17:45
Modified
2024-08-03 23:25
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.
References
security-advisories@github.comhttps://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36Third Party Advisory
security-advisories@github.comhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6Third Party Advisory
security-advisories@github.comhttps://pypi.org/project/Zope/Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pypi.org/project/Zope/Product
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:31.128Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pypi.org/project/Zope/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zope",
          "vendor": "zopefoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.2.1"
            },
            {
              "status": "affected",
              "version": "\u003c 4.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the \u0027os\u0027 module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-17T16:29:37",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pypi.org/project/Zope/"
        }
      ],
      "source": {
        "advisory": "GHSA-rpcg-f9q6-2mq6",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via traversal in TAL expressions",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32674",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via traversal in TAL expressions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.2.1"
                          },
                          {
                            "version_value": "\u003c 4.6.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "zopefoundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the \u0027os\u0027 module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6",
              "refsource": "CONFIRM",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21"
            },
            {
              "name": "https://pypi.org/project/Zope/",
              "refsource": "MISC",
              "url": "https://pypi.org/project/Zope/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-rpcg-f9q6-2mq6",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32674",
    "datePublished": "2021-06-08T17:45:12",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:31.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.6.1\", \"matchCriteriaId\": \"712BA8E7-7A6A-45C3-956C-50A504307324\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.2.1\", \"matchCriteriaId\": \"A81939E1-6719-4032-960C-4B181E9E4E28\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the \u0027os\u0027 module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"}, {\"lang\": \"es\", \"value\": \"Zope es un servidor de aplicaciones web de c\\u00f3digo abierto. Este aviso ampl\\u00eda el aviso anterior en https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 con casos adicionales de vulnerabilidades de cruce de expresiones TAL. La mayor\\u00eda de los m\\u00f3dulos de Python no est\\u00e1n disponibles para su uso en expresiones TAL que se pueden a\\u00f1adir a trav\\u00e9s de la web, por ejemplo en las plantillas de p\\u00e1ginas de Zope. Esta restricci\\u00f3n evita el acceso al sistema de archivos, por ejemplo a trav\\u00e9s del m\\u00f3dulo \u0027os\u0027. Pero algunos de los m\\u00f3dulos no confiables est\\u00e1n disponibles indirectamente a trav\\u00e9s de los m\\u00f3dulos de Python que est\\u00e1n disponibles para su uso directo. Por defecto, es necesario tener el rol de Administrador para a\\u00f1adir o editar Plantillas de P\\u00e1gina Zope a trav\\u00e9s de la web. S\\u00f3lo los sitios que permiten a los usuarios no confiables a\\u00f1adir/editar Plantillas de P\\u00e1gina Zope a trav\\u00e9s de la web est\\u00e1n en riesgo. El problema se ha solucionado en Zope versiones 5.2.1 y 4.6.1. La soluci\\u00f3n es la misma que para https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: Un administrador del sitio puede restringir la adici\\u00f3n/edici\\u00f3n de Plantillas de P\\u00e1gina Zope a trav\\u00e9s de la web utilizando los mecanismos est\\u00e1ndar de permisos de usuario/rol de Zope. A los usuarios que no sean de confianza no se les debe asignar el rol de Gestor de Zope y a\\u00f1adir/editar Plantillas de P\\u00e1gina Zope a trav\\u00e9s de la web debe estar restringido s\\u00f3lo a los usuarios de confianza\"}]",
      "id": "CVE-2021-32674",
      "lastModified": "2024-11-21T06:07:30.350",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-06-08T18:15:08.307",
      "references": "[{\"url\": \"https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/Zope/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://pypi.org/project/Zope/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32674\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-06-08T18:15:08.307\",\"lastModified\":\"2024-11-21T06:07:30.350\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the \u0027os\u0027 module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"},{\"lang\":\"es\",\"value\":\"Zope es un servidor de aplicaciones web de c\u00f3digo abierto. Este aviso ampl\u00eda el aviso anterior en https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 con casos adicionales de vulnerabilidades de cruce de expresiones TAL. La mayor\u00eda de los m\u00f3dulos de Python no est\u00e1n disponibles para su uso en expresiones TAL que se pueden a\u00f1adir a trav\u00e9s de la web, por ejemplo en las plantillas de p\u00e1ginas de Zope. Esta restricci\u00f3n evita el acceso al sistema de archivos, por ejemplo a trav\u00e9s del m\u00f3dulo \u0027os\u0027. Pero algunos de los m\u00f3dulos no confiables est\u00e1n disponibles indirectamente a trav\u00e9s de los m\u00f3dulos de Python que est\u00e1n disponibles para su uso directo. Por defecto, es necesario tener el rol de Administrador para a\u00f1adir o editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web. S\u00f3lo los sitios que permiten a los usuarios no confiables a\u00f1adir/editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web est\u00e1n en riesgo. El problema se ha solucionado en Zope versiones 5.2.1 y 4.6.1. La soluci\u00f3n es la misma que para https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: Un administrador del sitio puede restringir la adici\u00f3n/edici\u00f3n de Plantillas de P\u00e1gina Zope a trav\u00e9s de la web utilizando los mecanismos est\u00e1ndar de permisos de usuario/rol de Zope. A los usuarios que no sean de confianza no se les debe asignar el rol de Gestor de Zope y a\u00f1adir/editar Plantillas de P\u00e1gina Zope a trav\u00e9s de la web debe estar restringido s\u00f3lo a los usuarios de confianza\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6.1\",\"matchCriteriaId\":\"712BA8E7-7A6A-45C3-956C-50A504307324\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.2.1\",\"matchCriteriaId\":\"A81939E1-6719-4032-960C-4B181E9E4E28\"}]}]}],\"references\":[{\"url\":\"https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/Zope/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/Zope/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.