Miggo Logo
Miggo Vulnerability Database
CVE-2023-46104

CVE-2023-46104:
Apache Superset uncontrolled resource consumption

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-46104
GHSA ID
GHSA-95mg-jgfx-54v9
EPSS Score
0.64303%
CWE
CWE-400
Published
12/19/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-supersetpip< 2.1.22.1.2
apache-supersetpip>= 3.0.0, < 3.1.0rc13.1.0rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient ZIP file validation during imports. The key evidence is in the commit diff:- The function 'get_contents_from_bundle' in utils.py was modified to add 'check_is_safe_zip(bundle)' at the start.- This new security check (added in utils/core.py) validates maximum file size (100MB) and compression ratio (200:1) to prevent ZIP bombs.- The absence of this validation in vulnerable versions allowed attackers to upload malicious ZIPs that would trigger excessive resource consumption during decompression/processing.- The affected code path is explicitly used for importing databases/dashboards/datasets via ZIP uploads, which matches the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Un*ontroll** r*sour** *onsumption **n ** tri***r** *y *ut**nti**t** *tt**k*r t**t uplo**s * m*li*ious ZIP to import **t***s*, **s**o*r*s or **t*s*ts.   T*is vuln*r**ility *xists in *p**** Sup*rs*t v*rsions up to *n* in*lu*in* *.*.* *n* v*rsions *.*.*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt ZIP *il* v*li**tion *urin* imports. T** k*y *vi**n** is in t** *ommit *i**:- T** *un*tion '**t_*ont*nts_*rom_*un*l*' in utils.py w*s mo*i*i** to *** '****k_is_s***_zip(*un*l*)' *t t** st*rt.- T*is n*w s**urit