Nixpkgs security tracker

Dismissed

Permalink CVE-2024-3508

4.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 6 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 8 months ago
@LeSuisse ignored
9 packages
- bzip2
- lbzip2
- pbzip2
- bzip2_1_1
- indexed-bzip2
- haskellPackages.bzip2-clib
- python312Packages.indexed-bzip2
- python313Packages.indexed-bzip2
- tests.pkg-config.defaultPkgConfigPackages.bzip2
6 months, 3 weeks ago
@LeSuisse dismissed 6 months, 3 weeks ago

Bzip2: compressed content bomb leads to denial of service of bombastic api

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.