Miggo Logo
Miggo Vulnerability Database
CVE-2023-42504

CVE-2023-42504: Apache Superset Allocation of Resources Without Limits or Throttling vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-42504
GHSA ID
GHSA-3hp7-4qq4-v5c6
EPSS Score
0.41237%
CWE
CWE-770
Published
11/28/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-supersetpip< 3.0.03.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unthrottled dashboard export endpoints. Since the attack vector involves multiple concurrent export requests, the logical candidate is the dashboard export handler function. In Flask-based applications like Superset, these are typically implemented as API endpoints. The lack of rate-limiting decorators or concurrency checks in the export function (commonly found in REST API classes) would make it vulnerable to DoS via resource exhaustion. This matches the CWE-770 pattern and the described exploit scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut**nti**t** m*li*ious us*r *oul* initi*t* multipl* *on*urr*nt r*qu*sts, **** r*qu*stin* multipl* **s**o*r* *xports, l***in* to * possi*l* **ni*l o* s*rvi**. T*is issu* *****ts *p**** Sup*rs*t: ***or* *.*.*

Reasoning

T** vuln*r**ility st*ms *rom unt*rottl** **s**o*r* *xport *n*points. Sin** t** *tt**k v**tor involv*s multipl* *on*urr*nt *xport r*qu*sts, t** lo*i**l **n*i**t* is t** **s**o*r* *xport **n*l*r *un*tion. In *l*sk-**s** *ppli**tions lik* Sup*rs*t, t**s