GHSA-h6rp-mprm-xgcq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h6rp-mprm-xgcq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-h6rp-mprm-xgcq/GHSA-h6rp-mprm-xgcq.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-h6rp-mprm-xgcq
- Aliases
- Published
- 2023-09-21T17:06:37Z
- Modified
- 2024-10-09T22:01:11.000848Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- plone.rest vulnerable to Denial of Service when ++api++ is used many times
- Details
-
Impact
When the
++api++traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.Patches
Patches will be released in
plone.rest2.0.1 and 3.0.1. Series 1.x is not affected.Workarounds
In your frontend web server (nginx, Apache) you can redirect
/++api++/++api++to/++api++. - Database specific
{ "nvd_published_at": "2023-09-21T15:15:10Z", "cwe_ids": [ "CWE-400", "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-21T17:06:37Z" }- References
-
- https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
- https://nvd.nist.gov/vuln/detail/CVE-2023-42457
- https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
- https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
- https://github.com/plone/plone.rest
- https://github.com/pypa/advisory-database/tree/main/vulns/plone-rest/PYSEC-2023-178.yaml
- http://www.openwall.com/lists/oss-security/2023/09/22/2
Affected packages
PyPI / plone-rest
Package
- Name
- plone-rest
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-rest
PyPI / plone-rest
Package
- Name
- plone-rest
- View open source insights on deps.dev
- Purl
- pkg:pypi/plone-rest