Remote Code Execution via Python Scripts

Versions affected

5.2.4
5.2.3
5.2.2
5.2.1
5.2.0

Vulnerability

In Python Scripts an attacker may be able to abuse the string.Formatter class to access private attributes, which could then lead to remote code execution. Only Plone 5.2 on Python 3 is vulnerable.

Current status

Fixed in AccessControl 4.3 (and 5.2), available in Zope 4.6.3 (and 5.3). Version 1.6 of the Plone hotfix contains the fix as well.

Credits

Discovered by

Calum Hutton

Fixed by

Plone Security Team

Coordinated by

Plone Security Team

Contact

You can contact the security team confidentially by email at security@plone.org

More information

CVE Identifier

CVE-2021-32807

Type

Remote Code Execution

Severity

8.2 – high
Vector	Network
Complexity	Medium
Authentication	Single
Confidentiality	Complete
Integrity	Complete
Availability	Partial

Timeline

Vulnerability reported: 2021-07-20
Hotfix released: 2021-07-30