cvelistv5 - cve-2024-34084

CVE-2024-34084 (GCVE-0-2024-34084)

Vulnerability from cvelistv5 – Published: 2024-05-07 14:12 – Updated: 2024-08-02 02:42

Title

Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests

Summary

Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/stacklok/minder/security/advis…	x_refsource_CONFIRM
	https://github.com/stacklok/minder/commit/3e5a527…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	stacklok	minder	Affected: < 0.0.48

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "minder",
            "vendor": "stacklok",
            "versions": [
              {
                "lessThan": "0.0.48",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34084",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-07T18:05:18.956707Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:42:25.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:42:59.894Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"
          },
          {
            "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minder",
          "vendor": "stacklok",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.0.48"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-07T14:12:19.954Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"
        },
        {
          "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"
        }
      ],
      "source": {
        "advisory": "GHSA-9c5w-9q3f-3hv7",
        "discovery": "UNKNOWN"
      },
      "title": "Minder\u0027s Github Webhook Handler vulnerable to denial of service from un-validated requests"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34084",
    "datePublished": "2024-05-07T14:12:19.954Z",
    "dateReserved": "2024-04-30T06:56:33.385Z",
    "dateUpdated": "2024-08-02T02:42:59.894Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.\"}, {\"lang\": \"es\", \"value\": \"El `HandleGithubWebhook` de Minder es susceptible a un ataque de denegaci\\u00f3n de servicio procedente de una solicitud HTTP que no es de confianza. La vulnerabilidad existe antes de que se haya validado la solicitud y, como tal, la solicitud a\\u00fan no es confiable en el momento del error. Esto permite que un atacante con la capacidad de enviar solicitudes a \\\"HandleGithubWebhook\\\" bloquee el plano de control de Minder y niegue a otros usuarios su uso. Esta vulnerabilidad se solucion\\u00f3 en 0.0.48.\"}]",
      "id": "CVE-2024-34084",
      "lastModified": "2024-11-21T09:18:03.513",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2024-05-07T15:15:09.540",
      "references": "[{\"url\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34084\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-07T15:15:09.540\",\"lastModified\":\"2024-11-21T09:18:03.513\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.\"},{\"lang\":\"es\",\"value\":\"El `HandleGithubWebhook` de Minder es susceptible a un ataque de denegaci\u00f3n de servicio procedente de una solicitud HTTP que no es de confianza. La vulnerabilidad existe antes de que se haya validado la solicitud y, como tal, la solicitud a\u00fan no es confiable en el momento del error. Esto permite que un atacante con la capacidad de enviar solicitudes a \\\"HandleGithubWebhook\\\" bloquee el plano de control de Minder y niegue a otros usuarios su uso. Esta vulnerabilidad se solucion\u00f3 en 0.0.48.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"name\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"name\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:42:59.894Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34084\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-07T18:05:18.956707Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*\"], \"vendor\": \"stacklok\", \"product\": \"minder\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.0.48\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-07T18:06:04.958Z\"}}], \"cna\": {\"title\": \"Minder\u0027s Github Webhook Handler vulnerable to denial of service from un-validated requests\", \"source\": {\"advisory\": \"GHSA-9c5w-9q3f-3hv7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"stacklok\", \"product\": \"minder\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.0.48\"}]}], \"references\": [{\"url\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"name\": \"https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"name\": \"https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-07T14:12:19.954Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34084\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:42:59.894Z\", \"dateReserved\": \"2024-04-30T06:56:33.385Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-07T14:12:19.954Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-9C5W-9Q3F-3HV7

Vulnerability from github – Published: 2024-05-07 13:02 – Updated: 2024-05-10 21:33

Summary

Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests

Details

Minder's HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to HandleGithubWebhook to crash the Minder controlplane and deny other users from using it.

One of the first things that HandleGithubWebhook does is to validate the payload signature. This is done by way of the internal helper validatePayloadSignature:

https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L213-L218

validatePayloadSignature generates a reader from the incoming request by way of the internal helper readerFromRequest:

https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L337-L342

To create a reader from the incoming request, readerFromRequest first reads the request body entirely into memory on line 368:

https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L367-L377

This is a vulnerability, since an HTTP request with a large body can exhaust the memory of the machine running Minder and cause the Go runtime to crash Minder.

Note that this occurs before Minder has validated the request, and as such, the request is still untrusted.

To test this out, we can use the existing TestHandleWebHookRepository unit test and modify the HTTP request body to be large.

To do that, change these lines:

https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go#L278-L283

... to these lines:

    packageJson, err := json.Marshal(event)
    require.NoError(t, err, "failed to marshal package event")

        maliciousBody := strings.NewReader(strings.Repeat("1337", 1000000000))
        maliciousBodyReader := io.MultiReader(maliciousBody, maliciousBody, maliciousBody, maliciousBody, maliciousBody)
        _ = packageJson

    client := &http.Client{}
    req, err := http.NewRequest("POST", fmt.Sprintf("http://%s", addr), maliciousBodyReader)
    require.NoError(t, err, "failed to create request")

Then run the unit test again. WARNING, SAVE ALL WORK BEFORE DOING THIS.

On my local machine, this causes the machine to freeze, and Go finally performs a sigkill:

signal: killed
FAIL      github.com/stacklok/minder/internal/controlplane          30.759s
FAIL

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/stacklok/minder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-07T13:02:42Z",
    "nvd_published_at": "2024-05-07T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it.\n\nOne of the first things that `HandleGithubWebhook` does is to validate the payload signature. This is done by way of the internal helper `validatePayloadSignature`:\n\nhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L213-L218\n\n`validatePayloadSignature` generates a reader from the incoming request by way of the internal helper `readerFromRequest`:\n\nhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L337-L342\n\nTo create a reader from the incoming request, `readerFromRequest` first reads the request body entirely into memory on line 368:\n\nhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L367-L377\n\nThis is a vulnerability, since an HTTP request with a large body can exhaust the memory of the machine running Minder and cause the Go runtime to crash Minder.\n\nNote that this occurs before Minder has validated the request, and as such, the request is still untrusted.\n\nTo test this out, we can use the existing `TestHandleWebHookRepository` unit test and modify the HTTP request body to be large. \n\nTo do that, change these lines:\n\nhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go#L278-L283\n\n... to these lines:\n```go\n\tpackageJson, err := json.Marshal(event)\n\trequire.NoError(t, err, \"failed to marshal package event\")\n\n        maliciousBody := strings.NewReader(strings.Repeat(\"1337\", 1000000000))\n        maliciousBodyReader := io.MultiReader(maliciousBody, maliciousBody, maliciousBody, maliciousBody, maliciousBody)\n        _ = packageJson\n\n\tclient := \u0026http.Client{}\n\treq, err := http.NewRequest(\"POST\", fmt.Sprintf(\"http://%s\", addr), maliciousBodyReader)\n\trequire.NoError(t, err, \"failed to create request\")\n```\n\nThen run the unit test again. WARNING, SAVE ALL WORK BEFORE DOING THIS.\n\nOn my local machine, this causes the machine to freeze, and Go finally performs a sigkill: \n\n```\nsignal: killed\nFAIL      github.com/stacklok/minder/internal/controlplane          30.759s\nFAIL\n```",
  "id": "GHSA-9c5w-9q3f-3hv7",
  "modified": "2024-05-10T21:33:54Z",
  "published": "2024-05-07T13:02:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stacklok/minder"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L213-L218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L337-L342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L367-L377"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go#L278-L283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Minder\u0027s GitHub Webhook Handler vulnerable to DoS from un-validated requests"
}

FKIE_CVE-2024-34084

Vulnerability from fkie_nvd - Published: 2024-05-07 15:15 - Updated: 2024-11-21 09:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
	security-advisories@github.com	https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Minder\u0027s `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."
    },
    {
      "lang": "es",
      "value": "El `HandleGithubWebhook` de Minder es susceptible a un ataque de denegaci\u00f3n de servicio procedente de una solicitud HTTP que no es de confianza. La vulnerabilidad existe antes de que se haya validado la solicitud y, como tal, la solicitud a\u00fan no es confiable en el momento del error. Esto permite que un atacante con la capacidad de enviar solicitudes a \"HandleGithubWebhook\" bloquee el plano de control de Minder y niegue a otros usuarios su uso. Esta vulnerabilidad se solucion\u00f3 en 0.0.48."
    }
  ],
  "id": "CVE-2024-34084",
  "lastModified": "2024-11-21T09:18:03.513",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-07T15:15:09.540",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-34084 (GCVE-0-2024-34084)

GHSA-9C5W-9Q3F-3HV7

FKIE_CVE-2024-34084

Tags

Sightings

Nomenclature