CVE-2022-23500 TYPO3 subject to Uncontrolled Recursion resulting in Denial of Service

2022-12-1407:07:05

CWE-674

GitHub_M

www.cve.org

typo3

uncontrolled recursion

denial of service

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

7.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.0%

JSON

TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This vulnerability is very similar, but not identical, to the one described in CVE-2021-21359. This issue is patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20 or 12.1.1.

CNA Affected

[
  {
    "vendor": "TYPO3",
    "product": "typo3",
    "versions": [
      {
        "version": ">= 9.0.0, < 9.5.38",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0,  < 10.4.33",
        "status": "affected"
      },
      {
        "version": ">= 11.0.0, < 11.5.20",
        "status": "affected"
      },
      {
        "version": ">= 12.0.0, < 12.1.0",
        "status": "affected"
      }
    ]
  }
]