CVE-2024-23055
Published: 25 January 2024
Summary
CVE-2024-23055 is a medium-severity an unspecified weakness vulnerability in Plone Plone Docker Official Image. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-23055 affects the Plone Docker Official Image version 5.2.13 (5221). The vulnerability stems from improper validation of input supplied through HTTP HOST headers, enabling remote code execution against the affected containerized deployment of the open-source Plone content-management system.
An unauthenticated remote attacker can trigger the flaw over the network with low attack complexity and no required privileges, provided a user interacts with a crafted request. Successful exploitation yields limited impact on confidentiality and integrity within a changed security scope, while availability remains unaffected.
The supplied references point to the vendor domains plone.com and ploneorg.com along with a public repository containing exploit details, yet contain no explicit statements on patches, workarounds, or configuration changes. The associated EPSS score has remained flat at 0.0537 with no observed upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-20580
Vulnerability details
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-23055 enables remote code execution in the public-facing Plone CMS Docker image via improper HOST header validation, directly facilitating exploitation of public-facing applications.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.