CVE-2023-42457

Name of the Vulnerable Software and Affected Versions plone.rest versions 2.0.0 through 2.0.1 plone.rest versions 3.0.0 through 3.0.1

Description The issue is related to the ++api++ traverser in plone.rest, which allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. When the ++api++ traverser is accidentally used multiple times in a URL, handling it takes increasingly longer, making the server less responsive. This can be exploited to cause a denial of service.

Recommendations For plone.rest versions 2.0.0 through 2.0.1, update to version 2.0.1 to resolve the issue. For plone.rest versions 3.0.0 through 3.0.1, update to version 3.0.1 to resolve the issue. As a temporary workaround, consider redirecting /++api++/++api++ to /++api++ in your frontend web server (nginx, Apache) to minimize the risk of exploitation.