CVE-2021-32674

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-32674
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32674.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-32674
Aliases
Related
Published
2021-06-08T18:15:08.307Z
Modified
2026-04-02T06:51:42.147311Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Zope is an open-source web application server. This advisory extends the previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36 with additional cases of TAL expression traversal vulnerabilities. Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.2.1 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

References

Affected packages

Git / github.com/zopefoundation/zope

Affected ranges

Type
GIT
Repo
https://github.com/zopefoundation/zope
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
52085f3083f0b1f468109c1b127e140a249edf36
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
fabdc34486765392176721e2ea101f3572302aec
Fixed
1d897910139e2c0b11984fc9b78c1da1365bec21
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.6.1"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.2.1"
        }
    ]
}

Affected versions

Other
2-8-6
2-8-7
2-8-8
Zope-2-8-0
Zope-2-8-0-a1
Zope-2-8-0-a2
Zope-2-8-0-b1
Zope-2-8-0-b2
Zope-2-8-1
Zope-2-8-1-b1
Zope-2-8-2
Zope-2-8-3
Zope-2-8-4
Zope-2-8-6
ajung-final-zpt-integration-before-merge-savepoint
backups/Zope-2_9-branch@40220
backups/acripps-resourceViewletDirective@75991
backups/ajung-2-11-prep-branch@82440
backups/ajung-epi-integration@29916
backups/ajung-final-zpt-integration@68335
backups/ajung-translatationservice@30288
backups/ajung-zcatalog-progress@26609
backups/ajung-zpt-encoding-fixes@71736
backups/ajung-zpt-end-game@68335
backups/ajung-zpt-integration@68335
backups/ajung-zpt-strict-unicode@68335
backups/andig-catalog-report@115049
backups/chrism-mountpoint@39745
backups/davisagli-copy-export@123222
backups/dc-bobo_traverse-branch@28330
backups/dc-large_file-branch@28340
backups/easter-sprint_twistedserver@67155
backups/efge-five-events-work@40031
backups/gotcha-LP143531@113945
backups/gotcha-processlifetime@113938
backups/hannosch-dtml-vs-accesscontrol@113161
backups/jim-move-Zope@29064
backups/philikon-deprecate-interfaces@68354
backups/philikon-fix-lookup-priorities@66204
backups/philikon-local-components@67666
backups/philikon-zope32-integration@39849
backups/regebro-issue_1888@67834
backups/regebro-strftime_1127@67835
backups/regebro-unittest_docs@67835
backups/regebro-wsgi_refactor@67833
backups/regebro-zopectl_shellfix@67835
backups/rochael-TM_sortKey@113726
backups/slinkp-1447-httpcache-fix-branch@67981
backups/slinkp-collector_1895@38740
backups/slinkp-collector_596@40067
backups/slinkp_1726_zopeundo@40069
backups/tim-merge-zodb34@29764
backups/tseaver-catalog_getObject_raises@110393
backups/tseaver-clarify_install_docs@110394
backups/tseaver-collector_1460@110395
backups/tseaver-collector_1774@40462
backups/tseaver-five-integration-security@110396
backups/tseaver-five-integration-security@29697
backups/tseaver-instlib_as_site_dir@110397
backups/tseaver-no_globals_imports@94459
backups/tseaver-retire_zpkg@69009
backups/tyam-unicodeSplitterPatch@104722
backups/z4-zmi@124419
backups/zodb-blobs-branch@39746
backups/zope33-port@68354
before-merging-console-scripts-branch
cvs-to-svn-conversion
philikon-aq-checkpoint
2.*
2.10.0
2.10.0b1
2.10.0b2
2.10.0c1
2.10.1
2.10.10
2.10.11
2.10.12
2.10.13
2.10.2
2.10.2b1
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7
2.10.8
2.10.9
2.11.0
2.11.0a1
2.11.0b1
2.11.0c1
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.12-last-fulltree-revision
2.12.0
2.12.0a1
2.12.0a2
2.12.0a3
2.12.0a4
2.12.0b1
2.12.0b2
2.12.0b3
2.12.0b4
2.12.0c1
2.12.1
2.12.10
2.12.11
2.12.12
2.12.13
2.12.14
2.12.15
2.12.16
2.12.17
2.12.18
2.12.19
2.12.2
2.12.20
2.12.21
2.12.22
2.12.23
2.12.24
2.12.25
2.12.26
2.12.27
2.12.28
2.12.3
2.12.4
2.12.5
2.12.6
2.12.7
2.12.8
2.12.9
2.13.0
2.13.0a1
2.13.0a2
2.13.0a3
2.13.0a4
2.13.0b1
2.13.0c1
2.13.1
2.13.10
2.13.11
2.13.12
2.13.13
2.13.14
2.13.15
2.13.16
2.13.17
2.13.18
2.13.19
2.13.2
2.13.20
2.13.21
2.13.22
2.13.23
2.13.24
2.13.25
2.13.26
2.13.27
2.13.28
2.13.29
2.13.3
2.13.30
2.13.4
2.13.5
2.13.6
2.13.7
2.13.8
2.13.9
2.8.10
2.8.11
2.8.12
2.8.9
2.8.9.1
2.9.0
2.9.0b1
2.9.0b2
2.9.1
2.9.10
2.9.12
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
4.*
4.0
4.0a1
4.0a2
4.0a3
4.0a4
4.0a5
4.0a6
4.0b1
4.0b10
4.0b2
4.0b3
4.0b4
4.0b5
4.0b6
4.0b7
4.0b8
4.0b9
4.1
4.1.1
4.1.2
4.1.3
4.2
4.2.1
4.3
4.4
4.4.1
4.4.2
4.4.3
4.4.4
4.5
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6
5.*
5.0
5.0a1
5.0a2
5.1
5.1.1
5.1.2
5.2
Zope-2.*
Zope-2.8.5
backups/2.*
backups/2.10-with-ZODB3.8@83153
backups/2.10@68399
backups/Zope-2.*
backups/Zope-2.9@40221
backups/shh-2.*
backups/shh-2.11-zopelitelayer@80865
backups/tim-2.*
backups/tim-2.9-windows-installer@41463
backups/tseaver-2.*
backups/tseaver-2.11-no-z2-interfaces@110391
backups/tseaver-2.8-external_test@110392
backups/tseaver-2.8-external_test@29729
backups/tseaver-retire_zpkg-2.*
backups/tseaver-retire_zpkg-2.10@69010
backups/tseaver-zope.*
backups/tseaver-zope.app_delenda_est@110398
backups/witsch-2.*
backups/witsch-2.10-with-standard-docutils@76342
backups/witsch-zope2.*
backups/witsch-zope2.11-with-standard-docutils@83154

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32674.json"