oss-sec mailing list archives

CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)

From: Daniel Gaspar <dpgaspar () apache org>
Date: Wed, 14 Feb 2024 11:03:06 +0000

Affected versions:

- Apache Superset before 2.1.3
- Apache Superset 3.0.0 before 3.0.2

Description:

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.
 
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import 
database, dashboards or datasets.  
This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

Credit:

Dor Konis – GE Vernova (finder)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-23952

Current thread:

CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Daniel Gaspar (Feb 14)
- Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Solar Designer (Feb 14)