Apache Sling 2.2.0/2.3.0 Denial Of Service

2013.10.10
Credit: Antonio Sanso
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-2254
CWE: CWE-119


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

CVE-2013-2254: Apache Sling denial of service vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Sling org.apache.sling.servlets.post.bundle version 2.2.0 and 2.3.0 Description: With some combinations of access control settings and request paths, the POST servlet in the Apache Sling org.apache.sling.servlets.post bundle versions 2.2.0 and 2.3.0 can cause infinite loops, potentially leading to denial of service attacks. Mitigation: Users of those bundle versions should update to version 2.3.2 of the bundle (http://sling.apache.org/downloads.cgi)<http://svn.apache.org/viewvc?rev=680950&view=rev> Credit: This issue was reported by Antonio Sanso of Adobe Systems Incorporated. References: http://sling.apache.org/project-information/security.html https://issues.apache.org/jira/browse/SLING-2913 Regards Carsten Ziegeler On Behalf of the Apache Sling Project Management Committee -- Carsten Ziegeler cziegeler@apache.org

References:

http://sling.apache.org/project-information/security.html
https://issues.apache.org/jira/browse/SLING-2913


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top