CVE-2024-3508

Published: Apr 25, 2024Modified: Jun 18, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Exploitability: 2.8 / Impact: 1.4

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

Affected (1)

Products: Redhat: Trusted Profile Analyzer

1 product

Trusted Profile Analyzer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Trusted Profile Analyzer	All versions

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://access.redhat.com/security/cve/CVE-2024-3508

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2274109

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://access.redhat.com/security/cve/CVE-2024-3508

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2274109

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.