SCA: security update for Zope (GHSA-g4gq-j4p2-j8fr)

high Tenable Self-Hosted Container Security Plugin ID 414856

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote
code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment,
run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional `Products.PythonScripts`
add-on package installed. By default, one must have the admin-level Zope "Manager" role to add or edit
Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts
through the web are at risk. Zope releases 4.6.3 and 5.3 are not vulnerable. As a workaround, a site
administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope
user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and
adding/editing these scripts through the web should be restricted to trusted users only. This is the
default configuration in Zope. (CVE-2021-32811)

See Also

https://github.com/advisories/GHSA-g4gq-j4p2-j8fr

Plugin Details

Severity: High

ID: 414856

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/27/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32811

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/5/2021

Vulnerability Publication Date: 8/2/2021

Reference Information

CVE: CVE-2021-32811