CVE-2013-2254

Name of the Vulnerable Software and Affected Versions Apache Sling org.apache.sling.servlets.post.bundle versions 2.2.0 through 2.3.0

Description The issue arises from the deepGetOrCreateNode function in AbstractCreateOperation.java, which fails to handle a NULL value returned when the session lacks permissions to the root node. This oversight allows remote attackers to trigger a denial of service, specifically an infinite loop, via unspecified vectors.

Recommendations For versions 2.2.0 and 2.3.0, consider restricting access to the deepGetOrCreateNode function in AbstractCreateOperation.java until a patch is available to properly handle NULL values and prevent infinite loops.