Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h6rp-mprm-xgcq: plone.rest vulnerable to Denial of Service when ++api++ is used many times

Impact

When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.

Patches

Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected.

Workarounds

In your frontend web server (nginx, Apache) you can redirect /++api++/++api++ to /++api++.

ghsa
#web#dos#apache#git#nginx

Package

pip plone.rest (pip)

Affected versions

>= 2.0.0a1, < 2.0.1

= 3.0.0

Patched versions

2.0.1

3.0.1

Description

Impact

When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.

Patches

Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected.

Workarounds

In your frontend web server (nginx, Apache) you can redirect /++api++/++api++ to /++api++.

References

  • GHSA-h6rp-mprm-xgcq
  • https://nvd.nist.gov/vuln/detail/CVE-2023-42457
  • plone/plone.rest@43b4a7e
  • plone/plone.rest@77846a9

mauritsvanrees published to plone/plone.rest

Sep 21, 2023

Published to the GitHub Advisory Database

Sep 21, 2023

Reviewed

Sep 21, 2023

Last updated

Sep 21, 2023

Related news

CVE-2023-42457: Denial of Service when ++api++ is used many times

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).