Bug 2274109 (CVE-2024-3508)
| Summary: | CVE-2024-3508 bzip2: Compressed Content Bomb Leads to Denial of Service of Bombastic API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | afield, dbosanac, jreimann, mdessi, mrizzi, pcattana |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2274110, 2274111 | ||
| Bug Blocks: | 2274108 | ||
|
Description
Rohit Keshri
2024-04-09 07:53:33 UTC
Created bzip2 tracking bugs for this issue: Affects: fedora-all [bug 2274110] Created mingw-bzip2 tracking bugs for this issue: Affects: fedora-all [bug 2274111] |