/
GHSA-qcx9-j53g-ccgf.json
89 lines (89 loc) · 3.66 KB
/
GHSA-qcx9-j53g-ccgf.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{
"schema_version": "1.4.0",
"id": "GHSA-qcx9-j53g-ccgf",
"modified": "2021-08-30T23:27:55Z",
"published": "2021-08-05T17:01:30Z",
"aliases": [
"CVE-2021-32807"
],
"summary": "Remote Code Execution via unsafe classes in otherwise permitted modules",
"details": "### Impact\nThe module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. \n\nThe policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution.\n\nBy default, you need to have the admin-level Zope \"Manager\" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.\n\n### Patches\nThe problem has been fixed in AccessControl 4.3 and 5.2.\nOnly AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7.\n\n### Workarounds\nA site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [AccessControl issue tracker](https://github.com/zopefoundation/AccessControl/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"
}
],
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "AccessControl"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.3"
}
]
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "AccessControl"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "5.0"
},
{
"fixed": "5.2"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32807"
},
{
"type": "WEB",
"url": "https://github.com/zopefoundation/AccessControl/commit/b42dd4badf803bb9fb71ac34cd9cb0c249262f2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/zopefoundation/AccessControl"
},
{
"type": "WEB",
"url": "https://github.com/zopefoundation/AccessControl/blob/master/CHANGES.rst#51-2021-07-30"
}
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"severity": "MODERATE",
"github_reviewed": true,
"github_reviewed_at": "2021-08-02T23:00:00Z",
"nvd_published_at": "2021-07-30T22:15:00Z"
}
}