CVE-2021-32811

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts` add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

### Impact Background: The optional add-on package `Products.PythonScripts` adds `Script (Python)` to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the `RestrictedPython` package to provide a "safe" subset of Python instructions as well as the `AccessControl` package that defines security policies for execution in the context of a Zope application. Recently the `AccessControl` package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the `AccessControl` security policies for Zope by blocking access to unsafe classes inside the Python `string` module. You are only affected if the following are true: - You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected) - You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3 - You have installed the optional `Products.PythonScripts` add-on package By default, you need to have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. ### Patches The problem has been fixed in `AccessControl` versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new `AccessControl` releases. ### Workarounds A site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope. ### References * [AccessControl security advisory GHSA-qcx9-j53g-ccgf](https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf) ### For more information If you have any questions or comments about this advisory: * Open an issue in the [Zope issue tracker](https://github.com/zopefoundation/Zope/issues) * Email us at [security@plone.org](mailto:security@plone.org)

Zope es un servidor de aplicaciones web de código abierto. Zope versiones anteriores a 4.6.3 y 5.3 tienen un problema de seguridad de ejecución de código remota . Para ser afectado, uno debe usar Python 3 para su despliegue de Zope, ejecutar Zope 4 por debajo de la versión 4.6.3 o Zope 5 por debajo de la versión 5.3, y tener el paquete adicional opcional "Products.PythonScripts" instalado. Por defecto, hay que tener el rol de "Manager" de Zope a nivel de administrador para añadir o editar objetos Script (Python) mediante la web. Sólo los sitios que permiten a usuarios no confiables añadir/editar estos scripts mediante la web están en riesgo. Zope versiones 4.6.3 y 5.3 no son vulnerables. Como solución, el administrador del sitio puede restringir la adición/edición de objetos Script (Python) mediante la web usando los mecanismos estándar de permisos de usuario/rol de Zope. Los usuarios que no son de confianza no se les debería asignar el rol de Administrador de Zope y añadir/editar estos scripts mediante la web debería estar restringido sólo a usuarios de confianza. Esta es la configuración predeterminada en Zope