Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)

Related Vulnerabilities: CVE-2024-23952   CVE-2023-46104  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Solar Designer &lt;solar () openwall com&gt;

Date: Wed, 14 Feb 2024 14:05:51 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi Daniel,

On Wed, Feb 14, 2024 at 11:03:06AM +0000, Daniel Gaspar wrote:
Affected versions:

- Apache Superset before 2.1.3
- Apache Superset 3.0.0 before 3.0.2

Description:

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.

This looks like misuse of CVE, and it only made things worse.  Now you
need not only to update the original CVE's description, but also get
this new CVE formally REJECT'ed as duplicate.  You might need assistance
from others at Apache to get this right.

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import 
database, dashboards or datasets.
This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

Credit:

Dor Konis ??? GE Vernova (finder)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-23952

Here's the previous report with CVE-2023-46104:

https://www.openwall.com/lists/oss-security/2023/12/19/1

Looks like the only thing that changed is "before 3.0.1" corrected to
"before 3.0.2".

Alexander

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Daniel Gaspar (Feb 14)

Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Solar Designer (Feb 14)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started