CVE-2022-43686

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes	Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes	Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes	Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes	Release Notes Vendor Advisory
https://github.com/concretecms/concretecms/releases/8.5.10	Patch Release Notes Third Party Advisory
https://github.com/concretecms/concretecms/releases/8.5.10	Patch Release Notes Third Party Advisory
https://github.com/concretecms/concretecms/releases/9.1.3	Patch Release Notes Third Party Advisory
https://github.com/concretecms/concretecms/releases/9.1.3	Patch Release Notes Third Party Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31	Vendor Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:concretecms:concrete_cms::::::::
	cpe:2.3:a:concretecms:concrete_cms::::::::

History

30 Apr 2025, 16:15

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/concretecms/concretecms/releases/9.1.3 - Patch, Release Notes, Third Party Advisory~~	() https://github.com/concretecms/concretecms/releases/9.1.3 - Patch, Release Notes, Third Party Advisory
References	~~(MISC) https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory~~	() https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory
References	~~(MISC) https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory~~	() https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory
References	~~(MISC) https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory~~	() https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory
References	~~(MISC) https://github.com/concretecms/concretecms/releases/8.5.10 - Patch, Release Notes, Third Party Advisory~~	() https://github.com/concretecms/concretecms/releases/8.5.10 - Patch, Release Notes, Third Party Advisory

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-400~~	CWE-770

Information

Published : 2022-11-14 22:15

Updated : 2025-04-30 16:15

NVD link : CVE-2022-43686

Mitre link : CVE-2022-43686

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

6.5 /10