Beware of Repeated API Requests Slowing Down Your Plone Site

CVECVE-2023-42457
CVSScvssV3_1: 7.5
SourceCVE-2023-42457

Plone is an open source content management system (CMS) written in Python. It allows users to manage and publish web content easily.

A vulnerability was discovered in Plone’s REST API module called plone.rest. When the ++api++ traverser is used multiple times in a URL, like /++api++/++api++, it takes the server longer to process each additional request. This can slow down the entire Plone site over time.

A malicious actor could exploit this by making repeated API requests with multiple ++api++ segments. This would use up more server resources and degrade the performance for legitimate users. Services like comment sections, user logins, publishing workflows may become very slow or unresponsive.

The developers have released updates for plone.rest versions 2.x and 3.x which fix this issue. Plone sites using older versions are recommended to upgrade immediately. As a temporary workaround, site administrators can redirect duplicate ++api++ requests to the single ++api++ path using their web server’s configuration.

It’s always a good idea to keep your Plone installation up-to-date to protect against vulnerabilities. Monitor your site for unexpected slowdowns and check for available security updates regularly. Taking some basic precautions can help prevent performance issues and denial of service attacks on your Plone CMS.

References