CVE-2024-23952 MEDIUM

CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-400

Published February 14, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset. Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.

Key dates

Disclosure timeline

February 14, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-23952

CWE CWE-400

CVSS 6.5 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected < 2.1.3

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 3.0.0 and < 3.0.2