CVE-2023-42457 - plone.rest Multiple API Traversal Issue Leads to Slow Server Response Time

Summary: The vulnerability in plone.rest, which allows the use of HTTP verbs in Plone, causes the server to be less responsive when the ++api++ traverser is accidentally used multiple times. Patches are available, and a workaround is to redirect routes in a frontend web server.


Plone, the open-source content management system, uses plone.rest to simplify the way it interacts with external applications and services. However, there is a vulnerability in plone.rest versions (2.x branch and prior to 2..1 and 3..1) that has been assigned the identifier CVE-2023-42457, which makes the server less responsive when the ++api++ traverser is used multiple times accidentally. Note that series 1.x is not affected by this issue.

The issue lies in the handling of URLs with multiple occurrences of the ++api++ traverser. As the number of traversers increases, the time taken for the server to handle the request increases exponentially. This can lead to slow server response times, affecting the overall performance and user experience.

To illustrate the effect of this issue, consider the following code snippet

from plone.rest.traversal import ++api++

def traverse_multiple_apis(request):
    resource = ++api++(request)
    resource = ++api++(resource)

traverse_multiple_apis(request)

In this code, the ++api++ traversals are used twice, resulting in an increased response time compared to when there is only one ++api++ traverser.

To address this vulnerability, patches have been released in plone.rest 2..1 and 3..1. It is advised that users update to the latest versions of plone.rest to prevent potential slowdowns.

For the original references, please check the following links

- Plone Security Announcement
- plone.rest Repository
- plone.rest Release Notes

For users unable to update their plone.rest version, a workaround is available. One may configure their frontend web server (such as nginx or Apache) to redirect /++api++/++api++ to /++api++. Here is an example configuration for nginx:

location ~ ^/++api++/++api++ {
    rewrite ^/++api++/++api++(/.*)$ /++api++$1 permanent;
}

location /++api++ {
    proxy_pass http://plone-backend;
}

In this configuration, any URL that has /++api++/++api++ will be rewritten to only /++api++, preventing the slowdown issue caused by multiple ++api++ traversers.

By applying the available patches or using the workaround mentioned above, one can mitigate the vulnerabilities of plone.rest and ensure secure and efficient handling of HTTP requests in their Plone instances.

Timeline

Published on: 09/21/2023 15:15:00 UTC
Last modified on: 09/25/2023 18:53:00 UTC