CVE-2023-42457

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-42457

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-42457.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-42457

Aliases

Published

2023-09-21T14:49:32Z

Modified

2025-10-16T10:09:33.385987Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

plone.rest vulnerable to Denial of Service when ++api++ is used many times

Details

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one's frontend web server (nginx, Apache).

References

Affected packages

Git / github.com/plone/plone.rest

Affected ranges

Type: GIT
Repo: https://github.com/plone/plone.rest
Events: Introduced

3dd6627e76e4a115448c3edf37a7ae257740ea64

Fixed

2a3f97468ba798e7a0e6aa4156578939e0fc4734

Type: GIT
Repo: https://github.com/plone/plone.rest
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

dc7dd0003d39adcd0ca15a592e7e14a7c4af216f

Affected versions

1.*

1.0.0

1.0a1

1.0a2

1.0a3

1.0a4

1.0a5

1.0a6

1.0a7

1.0b1

1.1.0

1.1.1

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

2.*

2.0.0

2.0.0a1

2.0.0a2

2.0.0a3

2.0.0a4

2.0.0a5

3.*

3.0.0