- Component Type: TYPO3 CMS
- Subcomponent: Page Error Handling (ext:core, ext:frontend)
- Release Date: December 13, 2022
- Vulnerability Type: Denial of Service
- Affected Versions: 9.0.0-9.5.37, 10.0.0-10.4.32, 11.0.0-11.5.19
- Severity: Medium
- Suggested CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C
- References: CVE-2022-23500, CWE-405, CWE-674
Problem Description
Requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.
This vulnerability is very similar, but not identical, to the one described in TYPO3-CORE-SA-2021-005 (CVE-2021-21359).
Solution
Update to TYPO3 versions 9.5.38 ELTS, 10.4.33 or 11.5.20 that fix the problem described above.
Credits
Thanks to Daniel Schönfeld who reported this issue and to TYPO3 core & security team member Benni Mack who fixed the issue.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note
All security related code changes are tagged so that you can easily look them up in our review system.