6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32633

GHSA ID

GHSA-5pr9-v234-jw36

EPSS Score

0.7528%

CWE

CWE-22

Published

6/18/2021

Updated

11/19/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32633

CVE-2021-32633: Remote Code Execution via traversal in TAL expressions

Impact

Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use.

By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk.

Patches

The problem has been fixed in Zope 5.2 and 4.6.

Workarounds

A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Zope issue tracker
Email us at security@plone.org

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32633

GHSA ID

GHSA-5pr9-v234-jw36

EPSS Score

0.7528%

CWE

CWE-22

Published

6/18/2021

Updated

11/19/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Zope	pip	< 4.6	4.6
Zope	pip	>= 5.0, < 5.2	5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation of path traversal in TAL expressions. The commit patches show both functions lacked checks for names starting with underscores, which allowed attackers to traverse into protected attributes/modules. The added checks for 'name.startswith('_')' in both functions confirm these were the entry points for unsafe traversal. Exploit examples (e.g., 'random/_os/system') and CWE-22 classification further validate the path traversal mechanism as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Most Pyt*on mo*ul*s *r* not *v*il**l* *or usin* in T*L *xpr*ssions t**t you **n *** t*rou**-t**-w**, *or *x*mpl* in Zop* P*** T*mpl*t*s. T*is r*stri*tion *voi*s *il* syst*m ****ss, *or *x*mpl* vi* t** 'os' mo*ul*. *ut som* o* t** untrust**

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion o* p*t* tr*v*rs*l in T*L *xpr*ssions. T** *ommit p*t***s s*ow *ot* *un*tions l**k** ****ks *or n*m*s st*rtin* wit* un**rs*or*s, w*i** *llow** *tt**k*rs to tr*v*rs* into prot**t** *ttri*ut*s/mo*ul*s

6.8

Basic Information

Concerned about an active attack path?

CVE-2021-32633: Remote Code Execution via traversal in TAL expressions

Impact

Patches

Workarounds

For more information

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI