GHSA-h6rp-mprm-xgcq

Source
https://github.com/advisories/GHSA-h6rp-mprm-xgcq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-h6rp-mprm-xgcq/GHSA-h6rp-mprm-xgcq.json
Aliases
Published
2023-09-21T17:06:37Z
Modified
2023-11-08T05:30:35.185333Z
Details

Impact

When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.

Patches

Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected.

Workarounds

In your frontend web server (nginx, Apache) you can redirect /++api++/++api++ to /++api++.

References

Affected packages

PyPI / plone-rest

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0a1
Fixed
2.0.1

Affected versions

2.*

2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6.dev0
2.0.0

PyPI / plone-rest

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.1

Affected versions

3.*

3.0.0