-
Notifications
You must be signed in to change notification settings - Fork 85
Expand file tree
/
Copy pathPYSEC-2021-104.yaml
More file actions
77 lines (77 loc) · 2.47 KB
/
PYSEC-2021-104.yaml
File metadata and controls
77 lines (77 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
id: PYSEC-2021-104
details: 'Zope is an open-source web application server. This advisory extends the
previous advisory at https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36
with additional cases of TAL expression traversal vulnerabilities. Most Python modules
are not available for using in TAL expressions that you can add through-the-web,
for example in Zope Page Templates. This restriction avoids file system access,
for example via the ''os'' module. But some of the untrusted modules are available
indirectly through Python modules that are available for direct use. By default,
you need to have the Manager role to add or edit Zope Page Templates through the
web. Only sites that allow untrusted users to add/edit Zope Page Templates through
the web are at risk. The problem has been fixed in Zope 5.21 and 4.6.1. The workaround
is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36:
A site administrator can restrict adding/editing Zope Page Templates through the
web using the standard Zope user/role permission mechanisms. Untrusted users should
not be assigned the Zope Manager role and adding/editing Zope Page Templates through
the web should be restricted to trusted users only.'
affected:
- package:
name: zope
ecosystem: PyPI
purl: pkg:pypi/zope
ranges:
- type: GIT
repo: https://github.com/zopefoundation/Zope
events:
- introduced: '0'
- fixed: 1d897910139e2c0b11984fc9b78c1da1365bec21
- type: ECOSYSTEM
events:
- introduced: '4.0'
- fixed: 4.6.1
- introduced: '5.0'
- fixed: 5.2.1
versions:
- '4.0'
- '4.1'
- 4.1.1
- 4.1.2
- 4.1.3
- '4.2'
- 4.2.1
- '4.3'
- '4.4'
- 4.4.1
- 4.4.2
- 4.4.3
- 4.4.4
- '4.5'
- 4.5.1
- 4.5.2
- 4.5.3
- 4.5.4
- 4.5.5
- '4.6'
- '5.0'
- '5.1'
- 5.1.1
- 5.1.2
- '5.2'
references:
- type: ADVISORY
url: https://github.com/zopefoundation/Zope/security/advisories/GHSA-rpcg-f9q6-2mq6
- type: FIX
url: https://github.com/zopefoundation/Zope/commit/1d897910139e2c0b11984fc9b78c1da1365bec21
- type: PACKAGE
url: https://pypi.org/project/Zope/
- type: ADVISORY
url: https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36
- type: ADVISORY
url: https://github.com/advisories/GHSA-5vq5-pg3r-9ph3
aliases:
- CVE-2021-32674
- GHSA-rpcg-f9q6-2mq6
- GHSA-5pr9-v234-jw36
- GHSA-5vq5-pg3r-9ph3
modified: '2021-06-22T04:54:57.652841Z'
published: '2021-06-08T18:15:00Z'