CVE-2023-42457 – This CVE describes a denial-of-service vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-42457?

CVE-2023-42457 has a CVSS score of 7.5 (HIGH). This CVE describes a denial-of-service vulnerability in plone.rest where repeated use of the `++api++` traverser in URLs causes increasing processing time, making the server less responsive. It affects Plone installations using plone.rest versions 2.x (before 2.0.1) and 3.x (before 3.0.1). Series 1.x is not affected.

📋 TL;DR

This CVE describes a denial-of-service vulnerability in plone.rest where repeated use of the `++api++` traverser in URLs causes increasing processing time, making the server less responsive. It affects Plone installations using plone.rest versions 2.x (before 2.0.1) and 3.x (before 3.0.1). Series 1.x is not affected.

💻 Affected Systems

Products:

plone.rest

Versions: 2.x (before 2.0.1) and 3.x (before 3.0.1)

Operating Systems: All platforms running affected plone.rest versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where the ++api++ traverser is enabled and accessible.

📦 What is this software?

Rest by Plone

View all CVEs affecting Rest →

Rest by Plone

View all CVEs affecting Rest →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unresponsiveness due to resource exhaustion from repeated malicious requests, potentially causing extended service downtime.

🟠

Likely Case

Degraded server performance and increased response times affecting legitimate users, potentially leading to partial service disruption.

🟢

If Mitigated

Minimal impact with proper patching or workarounds in place, maintaining normal server operations.

🌐 Internet-Facing: HIGH - Publicly accessible Plone servers are directly vulnerable to unauthenticated DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with repeated ++api++ segments in URLs, making it trivial to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: plone.rest 2.0.1 and 3.0.1

Vendor Advisory: https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq

Restart Required: Yes

Instructions:

1. Update plone.rest to version 2.0.1 (for 2.x branch) or 3.0.1 (for 3.x branch). 2. Restart the Plone application server. 3. Verify the fix by testing URLs with repeated ++api++ segments.

🔧 Temporary Workarounds

Web Server Redirect

all

Redirect URLs containing /++api++/++api++ to /++api++ at the web server level

# Apache example
RewriteRule ^/\+\+api\+\+/\+\+api\+\+(.*)$ /++api++$1 [R=301,L]
# Nginx example
rewrite ^/\+\+api\+\+/\+\+api\+\+(.*)$ /++api++$1 permanent;

🧯 If You Can't Patch

Implement web server redirect workaround as described above
Implement rate limiting or WAF rules to block requests with repeated ++api++ segments

🔍 How to Verify

Check if Vulnerable:

Test by accessing a URL like /++api++/++api++/some-endpoint and measuring response time. If response time increases significantly with each additional ++api++ segment, the system is vulnerable.

Check Version:

Check plone.rest version in Plone's add-ons control panel or via pip: pip show plone.rest

Verify Fix Applied:

After patching, test the same URLs - response times should remain consistent regardless of ++api++ repetitions.

📡 Detection & Monitoring

Log Indicators:

Multiple consecutive ++api++ segments in URL paths
Unusually long request processing times for API endpoints
Increased CPU/memory usage on Plone servers

Network Indicators:

HTTP requests with patterns like /++api++/++api++/++api++
Spike in requests to API endpoints

SIEM Query:

url.path CONTAINS '++api++/++api++' AND response_time > 5000

📊 Metadata

CVE ID: CVE-2023-42457

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: September 21, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/09/22/2 Mailing List,Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7 Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302 Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/22/2 Mailing List,Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7 Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302 Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcq Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42457, you might also want to check these: