Impact
When the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.
Patches
Patches will be released in plone.rest 2.0.1 and 3.0.1. Series 1.x is not affected.
Workarounds
In your frontend web server (nginx, Apache) you can redirect /++api++/++api++ to /++api++.
Credits
This was reported to the Plone Security Team by Fred van Dijk. Thanks!
Impact
When the
++api++traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive.Patches
Patches will be released in
plone.rest2.0.1 and 3.0.1. Series 1.x is not affected.Workarounds
In your frontend web server (nginx, Apache) you can redirect
/++api++/++api++to/++api++.Credits
This was reported to the Plone Security Team by Fred van Dijk. Thanks!