SCA: security update for getkirby/cms (GHSA-3v6j-v3qc-cxff)

high Tenable Cloud Security Plugin ID 409694

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2,
3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled
in the config). The real-world impact of this vulnerability is limited, however we still recommend to
update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's
authentication endpoint did not limit the password length. This allowed attackers to provide a password
with a length up to the server's maximum request body length. Validating that password against the user's
actual password requires hashing the provided password, which requires more CPU and memory resources (and
therefore processing time) the longer the provided password gets. This could be abused by an attacker to
cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force
protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10
failed logins for each existing user per hour. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3,
3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length
limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when
setting a password and when logging in. (CVE-2023-38492)

See Also

https://github.com/advisories/GHSA-3v6j-v3qc-cxff

Plugin Details

Severity: High

ID: 409694

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-38492

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2023

Vulnerability Publication Date: 7/27/2023

Reference Information

CVE: CVE-2023-38492

cwe: CWE-770