CVE-2024-3508

Bzip2: compressed content bomb leads to denial of service of bombastic api

CVSS 4.3 MEDIUMEPSS 0.5%CWE-400 CWE-434

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Apr 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected products

bzip2Red Hat · Red Hat Trusted Profile Analyzer

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2024-3508 https://bugzilla.redhat.com/show_bug.cgi?id=2274109