GHSA-8c28-5mp7-v24h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8c28-5mp7-v24h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-8c28-5mp7-v24h/GHSA-8c28-5mp7-v24h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8c28-5mp7-v24h
- Aliases
- Published
- 2022-12-13T17:02:09Z
- Modified
- 2023-12-06T00:46:56.761578Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- TYPO3 CMS vulnerable to Denial of Service in Page Error Handling
- Details
-
Problem
Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.
This vulnerability is very similar, but not identical, to the one described in TYPO3-CORE-SA-2021-005 (CVE-2021-21359).
Solution
Update to TYPO3 versions 9.5.38 ELTS, 10.4.33 or 11.5.20 that fix the problem described above.
References
- Database specific
{ "nvd_published_at": "2022-12-14T08:15:00Z", "cwe_ids": [ "CWE-405", "CWE-674" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-13T17:02:09Z" }- References
-
- https://github.com/TYPO3/typo3/security/advisories/GHSA-8c28-5mp7-v24h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23500
- https://github.com/TYPO3/typo3/commit/1e5f44417f031c9c5a9f9d09a6a841cf89aa7b7a
- https://github.com/TYPO3/typo3/commit/73b46b6a627093112cfca4b895a198ca5e1970b7
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-23500.yaml
- https://github.com/TYPO3/typo3
- https://typo3.org/security/advisory/typo3-core-sa-2022-012
Affected packages
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3/cms-core
Affected versions
v9.*
v9.0.0
v9.1.0
v9.2.0
v9.2.1
v9.3.0
v9.3.1
v9.3.2
v9.3.3
v9.4.0
v9.5.0
v9.5.1
v9.5.2
v9.5.3
v9.5.4
v9.5.5
v9.5.6
v9.5.7
v9.5.8
v9.5.9
v9.5.10
v9.5.11
v9.5.12
v9.5.13
v9.5.14
v9.5.15
v9.5.16
v9.5.17
v9.5.18
v9.5.19
v9.5.20
v9.5.21
v9.5.22
v9.5.23
v9.5.24
v9.5.25
v9.5.26
v9.5.27
v9.5.28
v9.5.29
v9.5.30
v9.5.31
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3/cms-core
Affected versions
v10.*
v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.30
v10.4.31
v10.4.32
Packagist / typo3/cms-core
Package
- Name
- typo3/cms-core
- Purl
- pkg:composer/typo3/cms-core
Packagist / typo3/cms
Package
- Name
- typo3/cms
- Purl
- pkg:composer/typo3/cms
Affected versions
v10.*
v10.0.0
v10.1.0
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.4.7
v10.4.8
v10.4.9
v10.4.10
v10.4.11
v10.4.12
v10.4.13
v10.4.14
v10.4.15
v10.4.16
v10.4.17
v10.4.18
v10.4.19
v10.4.20
v10.4.21
v10.4.22
v10.4.23
v10.4.24
v10.4.25
v10.4.26
v10.4.27
v10.4.28
v10.4.29
v10.4.30
v10.4.31
v10.4.32
Packagist / typo3/cms
Package
- Name
- typo3/cms
- Purl
- pkg:composer/typo3/cms