Miggo Logo
Miggo Vulnerability Database
CVE-2013-4199

CVE-2013-4199: Plone Denial of Service vulnerability via decompressing large zip archives

3.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-4199
GHSA ID
GHSA-xfjq-9rxq-ph6m
EPSS Score
0.64159%
CWE
CWE-400
Published
5/17/2022
Updated
10/17/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 4.3, < 4.3.24.3.2
plonepip>= 4.2, < 4.2.64.2.6
plonepip>= 2.1, <= 4.14.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly identifies cb_decode.py and linkintegrity.py as the affected files. These files are directly involved in zip archive decompression and post-decompression link integrity operations. While the exact function names are not specified in public advisories, the standard naming conventions and functional roles of these files suggest that the primary functions responsible for decoding (cb_decode.py) and link integrity updates (linkintegrity.py) are the vulnerable components. The lack of resource limitation checks in these functions aligns with the described CWE-400 (Uncontrolled Resource Consumption) vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

(*) **_***o**.py *n* (*) linkint**rity.py in Plon* *.* t*rou** *.*, *.*.x t*rou** *.*.*, *n* *.*.x t*rou** *.*.* *llow r*mot* *ut**nti**t** us*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption) vi* * l*r** zip *r**iv*, w*i** is *xp*n*** (***ompr*

Reasoning

T** vuln*r**ility *xpli*itly i**nti*i*s **_***o**.py *n* linkint**rity.py *s t** *****t** *il*s. T**s* *il*s *r* *ir**tly involv** in zip *r**iv* ***ompr*ssion *n* post-***ompr*ssion link int**rity op*r*tions. W*il* t** *x**t *un*tion n*m*s *r* not s