CVE-2021-21359: Denial of Service in Page Error Handling
First published: Tue Mar 16 2021(Updated: )
> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5) > * CWE-405, CWE-674 > * Status: **DRAFT** ### Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. ### Solution Update to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described. ### Credits Thanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank Nägler and to TYPO3 security team member Torben Hansen who fixed the issue. ### References * [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms | >=10.0.0<10.4.14>=11.0.0<11.1.1>=9.0.0<9.5.25 | |
| composer/typo3/cms-core | >=10.0.0<10.4.14>=11.0.0<11.1.1>=9.0.0<9.5.25 | |
| composer/typo3/cms | >=9.0.0<9.5.25 | 9.5.25 |
| composer/typo3/cms | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms | >=10.0.0<10.4.14 | 10.4.14 |
| composer/typo3/cms-core | >=9.0.0<9.5.25 | 9.5.25 |
| composer/typo3/cms-core | >=11.0.0<11.1.1 | 11.1.1 |
| composer/typo3/cms-core | >=10.0.0<10.4.14 | 10.4.14 |
| TYPO3 | >=9.0.0<9.5.25 | |
| TYPO3 | >=10.0.0<10.4.14 | |
| TYPO3 | >=11.0.0<11.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-core-sa-2021-005
- https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p
- https://packagist.org/packages/typo3/cms-core
- https://nvd.nist.gov/vuln/detail/CVE-2021-21359
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml
- https://github.com/advisories/GHSA-4p9g-qgx9-397p (Advisory)
Frequently Asked Questions
What is CVE-2021-21359?
CVE-2021-21359 is a vulnerability in TYPO3 that allows for Denial of Service in Page Error Handling.
How does CVE-2021-21359 impact TYPO3?
CVE-2021-21359 can result in a Denial of Service attack on TYPO3 installations.
Which versions of TYPO3 are affected by CVE-2021-21359?
TYPO3 versions 10.0.0 to 10.4.14, 11.0.0 to 11.1.1, and 9.0.0 to 9.5.25 are affected by CVE-2021-21359.
How can I fix CVE-2021-21359 in TYPO3?
To fix CVE-2021-21359 in TYPO3, update to a version that includes the security patch provided by TYPO3.
Where can I find more information about TYPO3-CORE-SA-2021-005?
You can find more information about TYPO3-CORE-SA-2021-005 on the TYPO3 website at [https://typo3.org/security/advisory/typo3-core-sa-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005).
- collector/friends-of-php
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4p9g-qgx9-397p
- alias/CVE-2021-21359
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/typo3
- canonical/typo3 typo3
- version/typo3 typo3/9.0.0
- version/typo3 typo3/10.0.0
- version/typo3 typo3/11.0.0