Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
plone.rest vulnerable to Denial of Service when ++api++ is used many times
Vulnerability Description
plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
Plone 安全漏洞
Vulnerability Description
Plone是一套基于Zope应用服务器构建的开源内容管理系统(CMS)。 plone.rest 2.0.0和3.0.0版本存在安全漏洞,该漏洞源于当遍历器在URL中多次使用时,会使处理时间变长,从而导致拒绝服务(DoS)。
CVSS Information
N/A
Vulnerability Type
N/A