CVE-2023-46104
Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.
This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.
El consumo incontrolado de recursos puede ser provocado por un atacante autenticado que carga un ZIP malicioso para importar bases de datos, paneles o conjuntos de datos. Esta vulnerabilidad existe en las versiones de Apache Superset hasta la 2.1.2 inclusive y en las versiones 3.0.0, 3.0.1.
*Credits:
Dor Konis – GE Vernova
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-10-16 CVE Reserved
- 2023-12-19 CVE Published
- 2024-02-15 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2023/12/19/1 | Mailing List | |
http://www.openwall.com/lists/oss-security/2024/02/14/2 | ||
http://www.openwall.com/lists/oss-security/2024/02/14/3 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl | 2024-02-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Superset Search vendor "Apache" for product "Superset" | < 2.1.3 Search vendor "Apache" for product "Superset" and version " < 2.1.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Superset Search vendor "Apache" for product "Superset" | >= 3.0.0 < 3.0.1 Search vendor "Apache" for product "Superset" and version " >= 3.0.0 < 3.0.1" | - |
Affected
|