Home > Vulnerability Database > CVE-2023-42457

Mend.io Vulnerability Database

CVE-2023-42457

Good to know:

Date: September 21, 2023

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

Language: Python

Severity Score

7.5

Related Resources (6)

Url: https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-42457

Url: https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7

Url: https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302

Url: http://www.openwall.com/lists/oss-security/2023/09/22/2

Url: https://www.mend.io/vulnerability-database/CVE-2023-42457

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version plone.rest - 2.0.1,3.0.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-42457

Good to know:

Date: September 21, 2023

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?