PYSEC-2023-178

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/plone-rest/PYSEC-2023-178.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2023-178
Aliases
Published
2023-09-21T15:15:00Z
Modified
2023-11-01T05:02:56.493930Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one's frontend web server (nginx, Apache).

References

Affected packages

PyPI / plone-rest

Package

Name
plone-rest
View open source insights on deps.dev
Purl
pkg:pypi/plone-rest

Affected ranges

Type
GIT
Repo
https://github.com/plone/plone.rest
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
77846a9842889b24f35e8bedc2e9d461388d3302
Fixed
43b4a7e86206e237e1de5ca3817ed071575882f7
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0a1
1.0a2
1.0a3
1.0a4
1.0a5
1.0a6
1.0a7
1.0b1
1.0.0
1.1.1
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2

2.*

2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6.dev0
2.0.0
2.0.1

3.*

3.0.0
3.0.1
3.0.2

4.*

4.0.0
4.1.0
4.1.1
4.1.2