cve-2021-32633
Vulnerability from cvelistv5
Published
2021-05-21 13:55
Modified
2024-08-03 23:25
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.
References
security-advisories@github.comhttp://www.openwall.com/lists/oss-security/2021/05/21/1Mailing List, Third Party Advisory
security-advisories@github.comhttp://www.openwall.com/lists/oss-security/2021/05/22/1Mailing List, Third Party Advisory
security-advisories@github.comhttps://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/Exploit, Third Party Advisory
security-advisories@github.comhttps://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2021/05/21/1Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2021/05/22/1Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36Third Party Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:30.947Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
          },
          {
            "name": "[oss-security] 20210521 Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
          },
          {
            "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zope",
          "vendor": "zopefoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0, \u003c 5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-29T11:47:33",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
        },
        {
          "name": "[oss-security] 20210521 Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
        },
        {
          "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
        }
      ],
      "source": {
        "advisory": "GHSA-5pr9-v234-jw36",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via traversal in TAL expressions",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32633",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via traversal in TAL expressions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6"
                          },
                          {
                            "version_value": "\u003e= 5.0, \u003c 5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "zopefoundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
              "refsource": "CONFIRM",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
            },
            {
              "name": "[oss-security] 20210521 Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
            },
            {
              "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
            },
            {
              "name": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/",
              "refsource": "MISC",
              "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-5pr9-v234-jw36",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32633",
    "datePublished": "2021-05-21T13:55:10",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:30.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"4.3.20\", \"matchCriteriaId\": \"801F96D6-B2E2-4BA9-9208-7DB0B327BB93\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndIncluding\": \"5.2.4\", \"matchCriteriaId\": \"49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.6\", \"matchCriteriaId\": \"AED4C9A0-041A-4646-B34B-901DD7EA0652\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndExcluding\": \"5.2\", \"matchCriteriaId\": \"34E88218-F6D6-45B7-B3CC-F97EF7FA2E22\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"}, {\"lang\": \"es\", \"value\": \"Zope es un servidor de aplicaciones web de c\\u00f3digo abierto.\u0026#xa0;En las versiones de Zope anteriores a 4.6 y 5.2, los usuarios pueden acceder a m\\u00f3dulos que no son confiables indirectamente por medio de m\\u00f3dulos de Python que est\\u00e1n disponibles para uso directo.\u0026#xa0;Por defecto, solo los usuarios con la funci\\u00f3n de administrador pueden agregar o editar Zope Page Templates por medio de la web, pero los sitios que permiten a usuarios no confiables agregar y editar plantillas de p\\u00e1gina de Zope por medio de la web est\\u00e1n en riesgo de esta vulnerabilidad.\u0026#xa0;El problema se ha solucionado en Zope versiones 5.2 y 4.6.\u0026#xa0;Como soluci\\u00f3n alternativa, un administrador del sitio puede restringir la adici\\u00f3n y edici\\u00f3n de plantillas de p\\u00e1gina Zope por medio de la web utilizando los mecanismos est\\u00e1ndar de permisos user/role de Zope. Usuarios no confiables no debe ser asignado el rol de administrador de Zope y Zope Page Templates de adici\\u00f3n y edici\\u00f3n por medio de la web debe estar restringida solo a usuarios confiables\"}]",
      "id": "CVE-2021-32633",
      "lastModified": "2024-11-21T06:07:25.347",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-05-21T14:15:07.977",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/21/1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/22/1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/21/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/22/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32633\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-05-21T14:15:07.977\",\"lastModified\":\"2024-11-21T06:07:25.347\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"},{\"lang\":\"es\",\"value\":\"Zope es un servidor de aplicaciones web de c\u00f3digo abierto.\u0026#xa0;En las versiones de Zope anteriores a 4.6 y 5.2, los usuarios pueden acceder a m\u00f3dulos que no son confiables indirectamente por medio de m\u00f3dulos de Python que est\u00e1n disponibles para uso directo.\u0026#xa0;Por defecto, solo los usuarios con la funci\u00f3n de administrador pueden agregar o editar Zope Page Templates por medio de la web, pero los sitios que permiten a usuarios no confiables agregar y editar plantillas de p\u00e1gina de Zope por medio de la web est\u00e1n en riesgo de esta vulnerabilidad.\u0026#xa0;El problema se ha solucionado en Zope versiones 5.2 y 4.6.\u0026#xa0;Como soluci\u00f3n alternativa, un administrador del sitio puede restringir la adici\u00f3n y edici\u00f3n de plantillas de p\u00e1gina Zope por medio de la web utilizando los mecanismos est\u00e1ndar de permisos user/role de Zope. Usuarios no confiables no debe ser asignado el rol de administrador de Zope y Zope Page Templates de adici\u00f3n y edici\u00f3n por medio de la web debe estar restringida solo a usuarios confiables\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.3.20\",\"matchCriteriaId\":\"801F96D6-B2E2-4BA9-9208-7DB0B327BB93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndIncluding\":\"5.2.4\",\"matchCriteriaId\":\"49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6\",\"matchCriteriaId\":\"AED4C9A0-041A-4646-B34B-901DD7EA0652\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndExcluding\":\"5.2\",\"matchCriteriaId\":\"34E88218-F6D6-45B7-B3CC-F97EF7FA2E22\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/21/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/22/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/21/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/22/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.