CVE-2021-21359
Published: 23 March 2021
Summary
CVE-2021-21359 is a medium-severity Amplification (CWE-405) vulnerability in Typo3 Typo3. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0598
Vulnerability details
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.25, 10.4.14, 11.1.1 requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error…
more
message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded. This is fixed in versions 9.5.25, 10.4.14, 11.1.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
Employs controls that mitigate amplification attacks causing asymmetric resource use.
Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources.
Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic.
Limits amplification effects by controlling how resources are allocated under high-volume or recursive load.