NVD Vulnerability Detail

CVE-2021-32633

Summary	Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.
Publication Date	May 21, 2021, 11:15 p.m.
Registration Date	May 22, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:07 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2021/05/21/1	Mailing List Third Party Advisory
3	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List Third Party Advisory
4	http://www.openwall.com/lists/oss-security/2021/05/22/1	Mailing List Third Party Advisory
5	https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/	Exploit Third Party Advisory
6	https://cyllective.com/blog/post/plone-authenticated-rce-cve-2021-32633/	Exploit Third Party Advisory
7	https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91	Patch Third Party Advisory
8	https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91	Patch Third Party Advisory
9	https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36	Third Party Advisory
10	https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Zope におけるパストラバーサルの脆弱性

Title	Zope におけるパストラバーサルの脆弱性
Summary	Zope には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 21, 2021, midnight
Registration Date	Feb. 3, 2022, 6:04 p.m.
Last Update	Feb. 3, 2022, 6:04 p.m.

Affected System

Zope Foundation

Zope 4.6 未満

Zope 5.2 未満

Plone Foundation

Plone

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-32633	https://www.cve.org/CVERecord?id=CVE-2021-32633
National Vulnerability Database (NVD)
2	CVE-2021-32633	https://nvd.nist.gov/vuln/detail/CVE-2021-32633

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
GitHub
1	Merge pull request from GHSA-5pr9-v234-jw36	https://github.com/zopefoundation/Zope/commit/1f8456bf1f908ea46012537d52bd7e752a532c91
2	Remote Code Execution via traversal in TAL expressions	https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36
Plone
3	Top Page	https://plone.org/

Change Log

No	Changed Details	Date of change
1	[2022年02月03日] 掲載	Feb. 3, 2022, 6:04 p.m.