Lucene search

GoogleOSV:BIT-TYPO3-2022-36104

HistoryMar 06, 2024 - 11:09 a.m.

BIT-typo3-2022-36104

2024-03-0611:09:08

Google

osv.dev

typo3

php

cms

recursion

vulnerability

gnu gpl

http

error handler

web server

update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.6%

JSON

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. Users are advised to update to TYPO3 version 11.5.16 to resolve this issue. There are no known workarounds for this issue.

CPENameOperatorVersion
typo3lt11.5.15
typo3ge11.4.0

CPE	Name	Operator	Version
	typo3	lt	11.5.15
	typo3	ge	11.4.0

References

github.com/TYPO3/typo3/commit/179dd7cd78947081d573fee2050e197faa556f13

github.com/TYPO3/typo3/security/advisories/GHSA-fffr-7x4x-f98q

typo3.org/security/advisory/typo3-core-sa-2022-006

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.6%

JSON

Related for OSV:BIT-TYPO3-2022-36104