Lucene search

Veracode Vulnerability DatabaseVERACODE:44762

HistoryDec 20, 2023 - 9:48 a.m.

Denial Of Service (DoS)

2023-12-2009:48:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

denial of service

apache_superset

zip archive

resource consumption

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.9%

JSON

apache_superset is vulnerable to Denial Of Service. The vulnerability is caused by a lack size checks for each file within a ZIP archive. This allows an attacker to upload a maliciously crafted ZIP file (such as a ZIP bomb or an oversized file), and upon decompression. This flaw can result in uncontrolled resource consumption.

CPENameOperatorVersion
apache-supersetle3.0.0
apache-supersetle2.1.1
apache-supersetle3.0.0
apache-supersetle2.1.1

Name	Operator	Version
apache-superset	le	3.0.0
apache-superset	le	2.1.1
apache-superset	le	3.0.0
apache-superset	le	2.1.1

References

www.openwall.com/lists/oss-security/2023/12/19/1

www.openwall.com/lists/oss-security/2024/02/14/2

www.openwall.com/lists/oss-security/2024/02/14/3

github.com/advisories/GHSA-95mg-jgfx-54v9

github.com/apache/superset/commit/f473d13d0d89de5990209ff81b17dfe2cee884d3

github.com/apache/superset/pull/25658

lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.9%

JSON

Related for VERACODE:44762