Miggo Logo

CVE-2013-4199: Plone Denial of Service vulnerability via decompressing large zip archives

3.1

CVSS Score
3.1

Basic Information

EPSS Score
0.64159%
Published
5/17/2022
Updated
10/17/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
plonepip>= 4.3, < 4.3.24.3.2
plonepip>= 4.2, < 4.2.64.2.6
plonepip>= 2.1, <= 4.14.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly identifies cb_decode.py and linkintegrity.py as the affected files. These files are directly involved in zip archive decompression and post-decompression link integrity operations. While the exact function names are not specified in public advisories, the standard naming conventions and functional roles of these files suggest that the primary functions responsible for decoding (cb_decode.py) and link integrity updates (linkintegrity.py) are the vulnerable components. The lack of resource limitation checks in these functions aligns with the described CWE-400 (Uncontrolled Resource Consumption) vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

(*) **_***o**.py *n* (*) linkint**rity.py in Plon* *.* t*rou** *.*, *.*.x t*rou** *.*.*, *n* *.*.x t*rou** *.*.* *llow r*mot* *ut**nti**t** us*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption) vi* * l*r** zip *r**iv*, w*i** is *xp*n*** (***ompr*

Reasoning

T** vuln*r**ility *xpli*itly i**nti*i*s **_***o**.py *n* linkint**rity.py *s t** *****t** *il*s. T**s* *il*s *r* *ir**tly involv** in zip *r**iv* ***ompr*ssion *n* post-***ompr*ssion link int**rity op*r*tions. W*il* t** *x**t *un*tion n*m*s *r* not s