CVE-2023-38492: 
PHP vulnerability analysis and mitigation

Kirby, a content management system, disclosed a vulnerability (CVE-2023-38492) affecting versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The vulnerability was discovered in July 2023 and affects all Kirby sites with user accounts, unless Kirby's API and Panel are disabled in the configuration (GitHub Advisory).

The vulnerability stems from Kirby's authentication endpoint not implementing password length limitations. This allowed attackers to submit passwords with lengths up to the server's maximum request body length. The validation process requires hashing the provided password, which consumes increasing CPU and memory resources proportional to the password length. The vulnerability has been assigned CWE-770 (Allocation of Resources Without Limits or Throttling) and received a CVSS v3.1 base score of 5.3 (Medium) (NVD, GitHub Advisory).

The vulnerability could be exploited to cause the website to become unresponsive or unavailable through a denial of service attack. However, the real-world impact is limited due to Kirby's built-in brute force protection, which restricts failed login attempts to 10 per IP address and 10 per existing user per hour (GitHub Advisory).

The vulnerability has been patched in versions 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. The fix implements password length limits, blocking passwords longer than 1000 bytes both during password setting and login attempts. Users are recommended to update to one of these patched versions or later releases (GitHub Advisory).