Miggo Logo

CVE-2012-5498: Plone denial of service via Caching Bypass

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.77803%
Published
5/17/2022
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip< 4.2.34.2.3
Plonepip>= 4.3a0, < 4.3b14.3b1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

Multiple authoritative sources (CVE description, Plone security advisory GHSA-97rj-p794-wq6m, Red Hat errata RHSA-2014:1194, and Openwall discussions) explicitly identify queryCatalog.py as the vulnerable component. The CWE-400 classification confirms this is a resource consumption issue stemming from improper caching. While the exact function name isn't explicitly stated in all sources, the file name convention and Plone architecture patterns make 'queryCatalog' the logical entry point for collection query handling. The patch in Plone 4.2.3/4.3b1 would have modified this function's caching logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

qu*ry**t*lo*.py in Plon* ***or* *.*.* *n* *.* ***or* **t* * *llows r*mot* *tt**k*rs to *yp*ss ****in* *n* **us* * **ni*l o* s*rvi** vi* * *r**t** r*qu*st to * *oll**tion.

Reasoning

Multipl* *ut*orit*tiv* sour**s (*V* **s*ription, Plon* s**urity **visory **S*-**rj-p***-wq*m, R** **t *rr*t* R*S*-****:****, *n* Op*nw*ll *is*ussions) *xpli*itly i**nti*y qu*ry**t*lo*.py *s t** vuln*r**l* *ompon*nt. T** *W*-*** *l*ssi*i**tion *on*irm