CVE-2023-42457

Name: CVE-2023-42457
Creator: NVD / NIST
Published: 2023-09-21T15:15:10.943+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.82%

Last modified Jun 17, 2026

CVE-2023-42457 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. EPSS estimates a 0.82% chance of exploitation in the next 30 days.

Description

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.82%

52.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Plone	Rest	2.0.0
Plone	Rest	3.0.0

References

http://www.openwall.com/lists/oss-security/2023/09/22/2Mailing List, Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcqVendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/22/2Mailing List, Third Party Advisory
https://github.com/plone/plone.rest/commit/43b4a7e86206e237e1de5ca3817ed071575882f7Patch
https://github.com/plone/plone.rest/commit/77846a9842889b24f35e8bedc2e9d461388d3302Patch
https://github.com/plone/plone.rest/security/advisories/GHSA-h6rp-mprm-xgcqVendor Advisory

Timeline

Published: Sep 21, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-42457?

How severe is CVE-2023-42457?

CVE-2023-42457 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.82% probability of exploitation in the next 30 days.

How do I fix CVE-2023-42457?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-42457?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST