Lucene search

GitHub Advisory DatabaseGHSA-3CXX-3F53-M92C

HistoryNov 15, 2022 - 12:00 p.m.

Concrete CMS vulnerable to Uncontrolled Resource Consumption leading to DoS

2022-11-1512:00:17

CWE-770

GitHub Advisory Database

github.com

concrete cms

uncontrolled resource consumption

dos

vulnerability

auth type concrete cookie map table.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

51.0%

JSON

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

Affected configurations

Vulners

Node

concrete5concrete5Range<9.1.3

concrete5concrete5Range<8.5.10

CPENameOperatorVersion
concrete5/concrete5lt9.1.3
concrete5/concrete5lt8.5.10

CPE	Name	Operator	Version
	concrete5/concrete5	lt	9.1.3
	concrete5/concrete5	lt	8.5.10

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-3cxx-3f53-m92c

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

nvd.nist.gov/vuln/detail/CVE-2022-43686

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

51.0%

JSON

Related for GHSA-3CXX-3F53-M92C