CVE-2023-42457

Опубликовано: 21 сент. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one's frontend web server (nginx, Apache).

Ссылки

http://www.openwall.com/lists/oss-security/2023/09/22/2
Mailing List
Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/22/2
Mailing List
Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:plone:rest:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:plone:rest:3.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 46%

0.00232

Низкий

7.5 High

CVSS3

Дефекты

CWE-400

CWE-770

Связанные уязвимости

GHSA-h6rp-mprm-xgcq

CVSS3: 7.5

github

больше 2 лет назад

plone.rest vulnerable to Denial of Service when ++api++ is used many times

BDU:2023-07261

CVSS3: 7.5

fstec

больше 2 лет назад

Уязвимость программного средства для RESTful API для управления контентом в Plone CMS plone.rest, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 46%

0.00232

Низкий

7.5 High

CVSS3

Дефекты

CWE-400

CWE-770