CVE-2013-4188: Plone Authenticated Denial of Service vulnerability
4.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67438%
CWE
Published
5/17/2022
Updated
10/15/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
plone | pip | >= 4.3, < 4.3.2 | 4.3.2 |
plone | pip | >= 4.2, < 4.2.6 | 4.2.6 |
plone | pip | >= 2.1, <= 4.1 | 4.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability description explicitly references traverser.py as the source
- The CWE-400 (resource consumption) and Red Hat's CWE-835 mapping (infinite loop) indicate a traversal logic flaw
- The Traverser class is core to Plone's URL resolution mechanism
- Admin privileges align with the ability to access traversal endpoints
- The 'retrieving information for certain resources' attack vector matches publishTraverse's purpose of resolving URL paths to objects
- Infinite loops in traversal typically occur in path resolution methods like publishTraverse when cycle detection fails