Flaw in Bombastic Allows Authenticated Users to Upload Compressed SBOMs
CVE-2024-3508

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Trusted Profile Analyzer
Vendor: CVE Published:; 25 April 2024

Summary

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

References

https://access.redhat.com/security/cve/CVE-2024-3508

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2274109

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2024