-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| apache-superset | pip | < 2.1.2 | 2.1.2 |
| apache-superset | pip | >= 3.0.0, < 3.1.0rc1 | 3.1.0rc1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from insufficient ZIP file validation during imports. The key evidence is in the commit diff:- The function 'get_contents_from_bundle' in utils.py was modified to add 'check_is_safe_zip(bundle)' at the start.- This new security check (added in utils/core.py) validates maximum file size (100MB) and compression ratio (200:1) to prevent ZIP bombs.- The absence of this validation in vulnerable versions allowed attackers to upload malicious ZIPs that would trigger excessive resource consumption during decompression/processing.- The affected code path is explicitly used for importing databases/dashboards/datasets via ZIP uploads, which matches the vulnerability description.
Ongoing coverage of React2Shell