CVE-2023-42457 Information
Description
plone.rest allows users to use HTTP verbs such as GET POST PUT DELETE etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1 when the ++api++ traverser is accidentally used multiple times in a url handling it takes increasingly longer making the server less responsive. Patches are available in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround one may redirect /++api++/++api++ to /++api++ in one’s frontend web server (nginx Apache).
Reference
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7
plone.rest
allows
users
to
use
HTTP
verbs
such
as
GET
POST
PUT
DELETE
etc.
in
Plone.
Starting
in
the
2.x
branch
and
prior
to
versions
2.0.1
and
3.0.1
when
the
++api++
traverser
is
accidentally
used
multiple
times
in
a
url
handling
it
takes
increasingly
longer
making
the
server
less
responsive.
Patches
are
available
in
plone.rest
2.0.1
and
3.0.1.
Series
1.x
is
not
affected.
As
a
workaround
one
may
redirect
/++api++/++api++
to
/++api++
in
one’s
frontend
web
server
(nginx
Apache).