CVE-2021-32807

Remote Code Execution via unsafe classes in otherwise permitted modules

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

El módulo "AccessControl" define las políticas de seguridad para el código Python usado en el código restringido dentro de las aplicaciones de Zope. El código restringido es cualquier código que reside en la base de datos de objetos de Zope, como el contenido de los objetos "Script (Python)". Las políticas definidas en "AccessControl" restringen severamente el acceso a los módulos de Python y sólo eximen a unos pocos que se consideran seguros, como el módulo "string" de Python. Sin embargo, el acceso completo al módulo "string" también permite el acceso a la clase "Formatter", que puede ser sobrescrita y extendida dentro de "Script (Python)" de manera que proporciona acceso a otras bibliotecas no seguras de Python. Estas bibliotecas no seguras de Python pueden ser usadas para una ejecución de código remota . Por defecto, necesitas tener el rol de "Manager" de Zope a nivel de administrador para añadir o editar objetos "Script (Python)" mediante la web. Sólo los sitios que permiten a usuarios no confiables añadir/editar estos scripts a través de la web - lo que sería una configuración muy inusual para empezar - están en riesgo. El problema se ha corregido en AccessControl versiones 4.3 y 5.2. Sólo las versiones 4 y 5 de AccessControl son vulnerables, y sólo en Python 3, no en Python 2.7. Como solución, un administrador del sitio puede restringir la adición/edición de objetos "Script (Python)" mediante la web usando los mecanismos estándar de permisos de usuario/rol de Zope. A unos usuarios que no son de confianza no se les debería asignar el rol de Administrador de Zope y añadir/editar estos scripts mediante la web debería estar restringido sólo a usuarios de confianza. Esta es la configuración predeterminada en Zope

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-07-30 CVE Published
2024-01-12 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CAPEC

References (3)

URL	Tag	Source
https://github.com/zopefoundation/AccessControl/blob/master/CHANGES.rst#51-2021-07-30	Release Notes
https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/zopefoundation/AccessControl/commit/b42dd4badf803bb9fb71ac34cd9cb0c249262f2c	2022-12-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zope Search vendor "Zope"		Accesscontrol Search vendor "Zope" for product "Accesscontrol"				>= 4.0 < 4.3 Search vendor "Zope" for product "Accesscontrol" and version " >= 4.0 < 4.3"		-		Affected
Zope Search vendor "Zope"		Accesscontrol Search vendor "Zope" for product "Accesscontrol"				>= 5.0 < 5.2 Search vendor "Zope" for product "Accesscontrol" and version " >= 5.0 < 5.2"		-		Affected