CVE-2023-37271: 
Python vulnerability analysis and mitigation

RestrictedPython is a tool designed to define a subset of the Python language that allows users to provide program input into a trusted environment. A critical vulnerability (CVE-2023-37271) was discovered affecting versions prior to 5.3 and 6.1, where the tool failed to properly check access to stack frames and their attributes. The vulnerability was discovered in July 2023 and affects all RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment (GitHub Advisory).

The vulnerability exists because stack frames are accessible within generators and generator expressions, which are allowed inside RestrictedPython. An attacker with access to a RestrictedPython environment can write code that obtains the current stack frame in a generator and then traverse the stack beyond the RestrictedPython invocation boundary. The CVSS v3.1 base score is 9.9 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) according to NVD assessment (NVD).

The vulnerability allows attackers to break out of the restricted sandbox and potentially execute arbitrary code in the Python interpreter. For Zope and Plone deployments, this affects systems where administrators allow untrusted users to create or edit objects of type Script (Python), DTML Method, DTML Document, or Zope Page Template, though this is a non-default configuration and is considered rare (GitHub Advisory).

The vulnerability has been fixed in RestrictedPython versions 5.3 and 6.1. For users unable to upgrade, there is no direct workaround available. The only mitigation is to ensure the RestrictedPython environment is only accessible to trusted users (GitHub Advisory).