1223418 – (CVE-2024-3508) VUL-0: CVE-2024-3508: bzip2: compressed content bomb leads to denial of service of Bombastic API

Bug 1223418 (CVE-2024-3508) - VUL-0: CVE-2024-3508: bzip2: compressed content bomb leads to denial of service of Bombastic API

Summary: VUL-0: CVE-2024-3508: bzip2: compressed content bomb leads to denial of servi...

Status:	NEW

Alias:	CVE-2024-3508

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Antonio Teixeira
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/400853/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-3508:6.5:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-04-26 11:14 UTC by SMASH SMASH
Modified:	2024-06-28 15:19 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-04-26 11:14:59 UTC

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3508
https://bugzilla.redhat.com/show_bug.cgi?id=2274109
https://www.cve.org/CVERecord?id=CVE-2024-3508
https://access.redhat.com/security/cve/CVE-2024-3508