Fluid Attacks Database

Description

Denial of Service in Page Error Handling

Meta

CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C (5.5)

CWE-405, CWE-674

Status: DRAFT

Problem

Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.

Solution

Update to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank Nägler and to TYPO3 security team member Torben Hansen who fixed the issue.

References

TYPO3-CORE-SA-2021-005

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	typo3/cms-core	>=10.0.0 <10.4.14 \|\| >=11.0.0 <11.1.1 \|\| >=9.0.0 <9.5.25	10.4.14, 11.1.1, 9.5.25
packagist	typo3/cms	>=10.0.0 <10.4.14 \|\| >=11.0.0 <11.1.1 \|\| >=9.0.0 <9.5.25	10.4.14, 11.1.1, 9.5.25

Aliases

1. CVE-2021-213592. NVD-2021-213593. OSV-2021-213594. GHSA-4p9g-qgx9-397p5. GCVE-2021-21359

References

1. https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p2. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml4. https://packagist.org/packages/typo3/cms-core5. https://typo3.org/security/advisory/typo3-core-sa-2021-005

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.