CVE-2021-21359 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=10.0.0 <10.4.14 || >=11.0.0 <11.1.1 || >=9.0.0 <9.5.25

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02563 pctl0.84963

Details

Denial of Service in Page Error Handling > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5) > * CWE-405, CWE-674 > * Status: **DRAFT** ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. ### Solution Update to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank Nägler and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005)

Metadata

Created: 2021-03-23T01:54:09Z
Modified: 2024-02-07T18:50:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-4p9g-qgx9-397p/GHSA-4p9g-qgx9-397p.json
CWE IDs: ["CWE-405", "CWE-674"]
Alternative ID: GHSA-4p9g-qgx9-397p
Finding: F002
Auto approve: 1