GHSA-h6rp-mprm-xgcq
- Source
- https://github.com/advisories/GHSA-h6rp-mprm-xgcq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-h6rp-mprm-xgcq/GHSA-h6rp-mprm-xgcq.json
- Aliases
- Published
- 2023-09-21T17:06:37Z
- Modified
- 2023-11-08T05:30:35.185333Z
- Details
-
Impact
When the
++api++traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.Patches
Patches will be released in
plone.rest2.0.1 and 3.0.1. Series 1.x is not affected.Workarounds
In your frontend web server (nginx, Apache) you can redirect
/++api++/++api++to/++api++. - References
-
- https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
- https://nvd.nist.gov/vuln/detail/CVE-2023-42457
- https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
- https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
- https://github.com/plone/plone.rest
- https://github.com/pypa/advisory-database/tree/main/vulns/plone-rest/PYSEC-2023-178.yaml
- http://www.openwall.com/lists/oss-security/2023/09/22/2
Affected packages
PyPI / plone-rest
Package
- Name
- plone-rest
PyPI / plone-rest
Package
- Name
- plone-rest