cvedb.io
CVE-2021-32807
MEDIUM · CVSS 4.4
EPSS exploitation probability: 0%
Published 2021-07-30T22:15:07.967 · Last modified 2026-06-17T03:53:40.153

Summary

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope "Manager" role to add or edit `Script (Python)` objects through the

Affected products

zope — accesscontrol

Does this affect you?

Add your gear to cvedb and we'll alert you only when zope ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.