Moderate severityNVD Advisory· Published Sep 21, 2023· Updated Feb 13, 2025
plone.rest vulnerable to Denial of Service when ++api++ is used many times
CVE-2023-42457
Description
plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one's frontend web server (nginx, Apache).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
plone.restPyPI | >= 2.0.0a1, < 2.0.1 | 2.0.1 |
plone.restPyPI | >= 3.0.0, < 3.0.1 | 3.0.1 |
Affected products
2- Range: >= 2.0.0a1, < 2.0.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-h6rp-mprm-xgcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-42457ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/22/2ghsaWEB
- github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7ghsax_refsource_MISCWEB
- github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302ghsax_refsource_MISCWEB
- github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcqghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/plone-rest/PYSEC-2023-178.yamlghsaWEB
News mentions
0No linked articles in our index yet.