VYPR
Moderate severityNVD Advisory· Published Sep 21, 2023· Updated Feb 13, 2025

plone.rest vulnerable to Denial of Service when ++api++ is used many times

CVE-2023-42457

Description

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect /++api++/++api++ to /++api++ in one's frontend web server (nginx, Apache).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
plone.restPyPI
>= 2.0.0a1, < 2.0.12.0.1
plone.restPyPI
>= 3.0.0, < 3.0.13.0.1

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.