Lucene search

K
cve[email protected]CVE-2023-42457
HistorySep 21, 2023 - 3:15 p.m.

CVE-2023-42457

2023-09-2115:15:10
CWE-770
CWE-400
web.nvd.nist.gov
2346
plone
rest
http verbs
cve-2023-42457
security patch
server responsiveness
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.1%

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one’s frontend web server (nginx, Apache).

Affected configurations

Vulners
NVD
Node
ploneploneRange2.0.0a12.0.1
OR
ploneploneMatch3.0.0
VendorProductVersionCPE
ploneplone*cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*
ploneplone3.0.0cpe:2.3:a:plone:plone:3.0.0:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "plone",
    "product": "plone.rest",
    "versions": [
      {
        "version": ">= 2.0.0a1, < 2.0.1",
        "status": "affected"
      },
      {
        "version": "= 3.0.0",
        "status": "affected"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.1%

Related for CVE-2023-42457