CVE-2023-46104: 
Wolfi vulnerability analysis and mitigation

A vulnerability in Apache Superset (CVE-2023-46104) was discovered that affects versions up to and including 2.1.2 and versions 3.0.0, 3.0.1. The vulnerability was identified by Dor Konis from GE Vernova and allows for uncontrolled resource consumption through malicious ZIP file uploads (Apache Advisory, OSS Security).

The vulnerability is classified as Uncontrolled Resource Consumption (CWE-400) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue can be triggered by an authenticated attacker who uploads a malicious ZIP file during the import of databases, dashboards, or datasets (NVD).

When successfully exploited, this vulnerability can lead to uncontrolled resource consumption in the Apache Superset system, potentially affecting system availability. The attack requires authentication but does not require user interaction, and the impact is primarily on the availability of the system with no direct effect on confidentiality or integrity (NVD).

Users should upgrade to Apache Superset version 2.1.3 or later, or to version 3.0.2 or later if using the 3.x branch. Initially, the fix was thought to be version 3.0.1, but this was later corrected to version 3.0.2 (OSS Security).