CVE-2023-38492

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6

Description The issue affects Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the config. The real-world impact of this issue is limited. However, updating to one of the patch releases is recommended because they also fix more severe issues. Kirby's authentication endpoint did not limit the password length, allowing attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this issue is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour.

Recommendations Update to Kirby version 3.5.8.3 or later to fix the vulnerability. Update to Kirby version 3.6.6.3 or later to fix the vulnerability. Update to Kirby version 3.7.5.2 or later to fix the vulnerability. Update to Kirby version 3.8.4.1 or later to fix the vulnerability. Update to Kirby version 3.9.6 or later to fix the vulnerability.