Bug 1223418 (CVE-2024-3508)

Summary: VUL-0: CVE-2024-3508: bzip2: compressed content bomb leads to denial of service of Bombastic API
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Antonio Teixeira <antonio.teixeira>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400853/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-3508:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-26 11:14:59 UTC 
A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3508
https://bugzilla.redhat.com/show_bug.cgi?id=2274109
https://www.cve.org/CVERecord?id=CVE-2024-3508
https://access.redhat.com/security/cve/CVE-2024-3508