Miggo Logo
Miggo Vulnerability Database
CVE-2023-23617

CVE-2023-23617: DoS vulnerability in MaliciousCode filter

4.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-23617
GHSA ID
GHSA-3p73-mm7v-4f6m
EPSS Score
0.33123%
CWE
CWE-835
Published
1/27/2023
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
openmage/magento-ltscomposer< 19.4.2219.4.22
openmage/magento-ltscomposer>= 20.0.0, < 20.0.1920.0.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff explicitly modifies the filter() method's loop structure, replacing the $result variable with direct modification of $value. The original code's loop logic (using $result to store intermediate states) could cause infinite loops when preg_replace() matches persisted across iterations despite no effective sanitization progress. The CWE-835 classification and patch context confirm this was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In*init* loop in m*li*ious *o** *ilt*r in **rt*in *on*itions. ### Work*roun*s Non*

Reasoning

T** *ommit *i** *xpli*itly mo*i*i*s t** `*ilt*r()` m*t*o*'s loop stru*tur*, r*pl**in* t** $r*sult v*ri**l* wit* *ir**t mo*i*i**tion o* $v*lu*. T** ori*in*l *o**'s loop lo*i* (usin* $r*sult to stor* int*rm**i*t* st*t*s) *oul* **us* in*init* loops w**n