VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-1psc-rasd-h7hr

Essentials
Severities (0)
References (7)
Severity details (0)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1psc-rasd-h7hr
Aliases	CVE-2021-32807 CVE-2021-32811 GHSA-g4gq-j4p2-j8fr GHSA-qcx9-j53g-ccgf PYSEC-2021-335 PYSEC-2021-368 PYSEC-2021-370 PYSEC-2021-875
Summary	The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
There are no known severity scores.

Reference id	Reference type	URL
		https://github.com/zopefoundation/AccessControl/blob/master/CHANGES.rst#51-2021-07-30
		https://github.com/zopefoundation/AccessControl/commit/b42dd4badf803bb9fb71ac34cd9cb0c249262f2c
		https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf
		https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988
		https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr
CVE-2021-32807		https://nvd.nist.gov/vuln/detail/CVE-2021-32807
CVE-2021-32811		https://nvd.nist.gov/vuln/detail/CVE-2021-32811

No exploits are available.

There are no known vectors.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:14:14.661604+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/accesscontrol/PYSEC-2021-335.yaml	38.6.0