{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-23952", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-01-24T14:56:01.763Z", "datePublished": "2024-02-14T11:09:47.113Z", "dateUpdated": "2024-02-14T11:09:47.113Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Superset", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "3.0.2", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dor Konis \u2013 GE Vernova"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.<br> <br>Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. &nbsp;<br><span style=\"background-color: rgb(255, 255, 255);\">This vulnerability exists </span>in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.<br><br><br>"}], "value": "This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.\n \nUncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. \u00a0\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-14T11:09:47.113Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/zc58zvm4414molqn2m4d4vkrbrsxdksx"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/14/2"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/14/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"descriptions": [{"lang": "en", "value": "This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.\n \nUncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. \u00a0\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.\n\n"}, {"lang": "es", "value": "Este es un duplicado de CVE-2023-46104. Con rangos de versi\u00f3n CVE correctos para Apache Superset afectado. El consumo incontrolado de recursos puede ser provocado por un atacante autenticado que carga un ZIP malicioso para importar bases de datos, paneles o conjuntos de datos. Esta vulnerabilidad existe en las versiones de Apache Superset hasta la 2.1.2 inclusive y en las versiones 3.0.0, 3.0.1."}], "id": "CVE-2024-23952", "lastModified": "2024-02-14T14:16:07.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-02-14T12:15:47.293", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/02/14/2"}, {"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2024/02/14/3"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/zc58zvm4414molqn2m4d4vkrbrsxdksx"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Primary"}]}

{}