CVE-2024-3508

A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2024-3508	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2274109	Issue Tracking Vendor Advisory
https://access.redhat.com/security/cve/CVE-2024-3508	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2274109	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:trusted_profile_analyzer:-:*:*:*:*:*:*:*

History

18 Jun 2025, 19:28

Type	Values Removed	Values Added
First Time		Redhat trusted Profile Analyzer Redhat
CPE		cpe:2.3:a:redhat:trusted_profile_analyzer:-:::::::*
References	~~() https://access.redhat.com/security/cve/CVE-2024-3508 -~~	() https://access.redhat.com/security/cve/CVE-2024-3508 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2274109 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2274109 - Issue Tracking, Vendor Advisory

Information

Published : 2024-04-25 18:15

Updated : 2025-06-18 19:28

NVD link : CVE-2024-3508

Mitre link : CVE-2024-3508

CVE.ORG link : CVE-2024-3508

JSON object : View

Products Affected

redhat

trusted_profile_analyzer

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-3508", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-04-25T18:15:09.567", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-3508", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274109", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-3508", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274109", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Bombastic, que permite a los usuarios autenticados cargar SBOM comprimidos (bzip2 o zstd). El endpoint de API verifica la presencia de algunos campos y valores en el JSON. Para realizar esta verificaci\u00f3n, primero se debe descomprimir el archivo subido."}], "lastModified": "2025-06-18T19:28:13.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:trusted_profile_analyzer:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4481AC5-2D91-4AD2-B7A2-DA3A6F97DA4D"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}