CVE-2023-42457

2023-09-2115:15:10

CWE-770

CWE-400

[email protected]

web.nvd.nist.gov

2379

plone

rest

http verbs

cve-2023-42457

security patch

server responsiveness

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.2%

JSON

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one’s frontend web server (nginx, Apache).

Affected configurations

Vulners

NVD

Node

ploneploneRange2.0.0a1–2.0.1

ploneploneMatch3.0.0

VendorProductVersionCPE
ploneplone*cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*
ploneplone3.0.0cpe:2.3:a:plone:plone:3.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
plone	plone	*	cpe:2.3:a:plone:plone::::::::
plone	plone	3.0.0	cpe:2.3:a:plone:plone:3.0.0:::::::*

CNA Affected

[
  {
    "vendor": "plone",
    "product": "plone.rest",
    "versions": [
      {
        "version": ">= 2.0.0a1, < 2.0.1",
        "status": "affected"
      },
      {
        "version": "= 3.0.0",
        "status": "affected"
      }
    ]
  }
]