CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
41.4%
When the ++api++
traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Patches will be released in plone.rest
2.0.1 and 3.0.1. Series 1.x is not affected.
In your frontend web server (nginx, Apache) you can redirect /++api++/++api++
to /++api++
.
www.openwall.com/lists/oss-security/2023/09/22/2
github.com/plone/plone.rest
github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
github.com/pypa/advisory-database/tree/main/vulns/plone-rest/PYSEC-2023-178.yaml
nvd.nist.gov/vuln/detail/CVE-2023-42457