Refine your search
1 vulnerability found for plone.rest by plone
CVE-2023-42457 (GCVE-0-2023-42457)
Vulnerability from cvelistv5
Published
2023-09-21 14:49
Modified
2025-02-13 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| plone | plone.rest |
Version: >= 2.0.0a1, < 2.0.1 Version: = 3.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq"
},
{
"name": "https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7"
},
{
"name": "https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/09/22/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:13:25.908320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:13:36.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "plone.rest",
"vendor": "plone",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0a1, \u003c 2.0.1"
},
{
"status": "affected",
"version": "= 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one\u0027s frontend web server (nginx, Apache)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-22T14:06:16.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq"
},
{
"name": "https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7"
},
{
"name": "https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/09/22/2"
}
],
"source": {
"advisory": "GHSA-h6rp-mprm-xgcq",
"discovery": "UNKNOWN"
},
"title": "plone.rest vulnerable to Denial of Service when ++api++ is used many times"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42457",
"datePublished": "2023-09-21T14:49:32.123Z",
"dateReserved": "2023-09-08T20:57:45.574Z",
"dateUpdated": "2025-02-13T17:09:22.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}