CVE-2023-46104 MEDIUM

CVE-2023-46104: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-400

Published December 19, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

Key dates

Disclosure timeline

December 19, 2023 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2023-46104

CWE CWE-400

CVSS 6.5 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected < 2.1.3

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 3.0.0 and < 3.0.1