CVE-2021-32633 (GCVE-0-2021-32633)

Vulnerability from cvelistv5 – Published: 2021-05-21 13:55 – Updated: 2024-08-03 23:25
VLAI?
Summary
Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
zopefoundation Zope Affected: < 4.6
Affected: >= 5.0, < 5.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:30.947Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
          },
          {
            "name": "[oss-security] 20210521 Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
          },
          {
            "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Zope",
          "vendor": "zopefoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0, \u003c 5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-29T11:47:33",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
        },
        {
          "name": "[oss-security] 20210521 Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
        },
        {
          "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
        }
      ],
      "source": {
        "advisory": "GHSA-5pr9-v234-jw36",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via traversal in TAL expressions",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32633",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution via traversal in TAL expressions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Zope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 4.6"
                          },
                          {
                            "version_value": "\u003e= 5.0, \u003c 5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "zopefoundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36",
              "refsource": "CONFIRM",
              "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36"
            },
            {
              "name": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91",
              "refsource": "MISC",
              "url": "https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91"
            },
            {
              "name": "[oss-security] 20210521 Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/21/1"
            },
            {
              "name": "[oss-security] 20210522 Re: Plone security hotfix 20210518",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/05/22/1"
            },
            {
              "name": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/",
              "refsource": "MISC",
              "url": "https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-5pr9-v234-jw36",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32633",
    "datePublished": "2021-05-21T13:55:10",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:30.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"4.3.20\", \"matchCriteriaId\": \"801F96D6-B2E2-4BA9-9208-7DB0B327BB93\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndIncluding\": \"5.2.4\", \"matchCriteriaId\": \"49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.6\", \"matchCriteriaId\": \"AED4C9A0-041A-4646-B34B-901DD7EA0652\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndExcluding\": \"5.2\", \"matchCriteriaId\": \"34E88218-F6D6-45B7-B3CC-F97EF7FA2E22\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"}, {\"lang\": \"es\", \"value\": \"Zope es un servidor de aplicaciones web de c\\u00f3digo abierto.\u0026#xa0;En las versiones de Zope anteriores a 4.6 y 5.2, los usuarios pueden acceder a m\\u00f3dulos que no son confiables indirectamente por medio de m\\u00f3dulos de Python que est\\u00e1n disponibles para uso directo.\u0026#xa0;Por defecto, solo los usuarios con la funci\\u00f3n de administrador pueden agregar o editar Zope Page Templates por medio de la web, pero los sitios que permiten a usuarios no confiables agregar y editar plantillas de p\\u00e1gina de Zope por medio de la web est\\u00e1n en riesgo de esta vulnerabilidad.\u0026#xa0;El problema se ha solucionado en Zope versiones 5.2 y 4.6.\u0026#xa0;Como soluci\\u00f3n alternativa, un administrador del sitio puede restringir la adici\\u00f3n y edici\\u00f3n de plantillas de p\\u00e1gina Zope por medio de la web utilizando los mecanismos est\\u00e1ndar de permisos user/role de Zope. Usuarios no confiables no debe ser asignado el rol de administrador de Zope y Zope Page Templates de adici\\u00f3n y edici\\u00f3n por medio de la web debe estar restringida solo a usuarios confiables\"}]",
      "id": "CVE-2021-32633",
      "lastModified": "2024-11-21T06:07:25.347",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-05-21T14:15:07.977",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/21/1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/22/1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/21/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/05/22/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32633\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-05-21T14:15:07.977\",\"lastModified\":\"2024-11-21T06:07:25.347\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.\"},{\"lang\":\"es\",\"value\":\"Zope es un servidor de aplicaciones web de c\u00f3digo abierto.\u0026#xa0;En las versiones de Zope anteriores a 4.6 y 5.2, los usuarios pueden acceder a m\u00f3dulos que no son confiables indirectamente por medio de m\u00f3dulos de Python que est\u00e1n disponibles para uso directo.\u0026#xa0;Por defecto, solo los usuarios con la funci\u00f3n de administrador pueden agregar o editar Zope Page Templates por medio de la web, pero los sitios que permiten a usuarios no confiables agregar y editar plantillas de p\u00e1gina de Zope por medio de la web est\u00e1n en riesgo de esta vulnerabilidad.\u0026#xa0;El problema se ha solucionado en Zope versiones 5.2 y 4.6.\u0026#xa0;Como soluci\u00f3n alternativa, un administrador del sitio puede restringir la adici\u00f3n y edici\u00f3n de plantillas de p\u00e1gina Zope por medio de la web utilizando los mecanismos est\u00e1ndar de permisos user/role de Zope. Usuarios no confiables no debe ser asignado el rol de administrador de Zope y Zope Page Templates de adici\u00f3n y edici\u00f3n por medio de la web debe estar restringida solo a usuarios confiables\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.3.20\",\"matchCriteriaId\":\"801F96D6-B2E2-4BA9-9208-7DB0B327BB93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndIncluding\":\"5.2.4\",\"matchCriteriaId\":\"49BC6F68-1C5B-4EE6-AF9C-5C28E86CC669\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.6\",\"matchCriteriaId\":\"AED4C9A0-041A-4646-B34B-901DD7EA0652\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndExcluding\":\"5.2\",\"matchCriteriaId\":\"34E88218-F6D6-45B7-B3CC-F97EF7FA2E22\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/21/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/22/1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/21/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/05/22/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.