CVE-2013-2254

The deepGetOrCreateNode function in impl/operations/AbstractCreateOperation.java in org.apache.sling.servlets.post.bundle 2.2.0 and 2.3.0 in Apache Sling does not properly handle a NULL value that returned when the session does not have permissions to the root node, which allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors.

Published: Oct 18, 2013
Updated: May 9, 2024
CVE: CVE-2013-2254
GHSA: GHSA-cxwh-vmhg-39r2
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
apache / org.apache.sling.servlets.post	2.2.0	2.2.0.x
apache / org.apache.sling.servlets.post	2.3.0	2.3.0.x
org.apache.sling / org.apache.sling.api	-	2.4.0

http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4pue6PnESsP1KTdEDJm1gpkANFaK%2BvUd9mzEVT7tXL%2B3A%40mail.gmail.com%3E
http://secunia.com/advisories/55157
http://www.securityfocus.com/bid/62903
https://exchange.xforce.ibmcloud.com/vulnerabilities/87765
https://issues.apache.org/jira/browse/SLING-2913

Vulnerability Database

290,206

CVE-2013-2254