CVE-2023-22898

Name of the Vulnerable Software and Affected Versions Pandora (aka pandora-analysis/pandora) version 1.3.0

Description The issue allows a denial of service when an attacker submits a deeply nested ZIP archive, also known as a ZIP bomb. This can be exploited through the workers/extractor.py component.

Recommendations For Pandora (aka pandora-analysis/pandora) version 1.3.0, consider restricting the submission of ZIP archives or implementing a check for deeply nested archives to prevent denial of service attacks. As a temporary workaround, consider disabling the ZIP archive processing functionality in the workers/extractor.py component until a patch is available.