x/vulndb: potential Go vuln in github.com/temporalio/temporal: CVE-2024-2689

[GoVulnBot]

CVE-2024-2689 references github.com/temporalio/temporal, which may be a Go module.

Description:
Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted. In this context, a user is an operator of Temporal Server.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-2689
• JSON: https://github.com/CVEProject/cvelist/tree/996deaba66dc11a75b71f65bae13eb2559b34e4e/2024/2xxx/CVE-2024-2689.json
• web: https://github.com/temporalio/temporal/releases
• Imported by: https://pkg.go.dev/github.com/temporalio/temporal?tab=importedby

Cross references:

• Module github.com/temporalio/temporal appears in issue x/vulndb: potential Go vuln in github.com/temporalio/temporal: CVE-2023-3485 #1879 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/temporalio/temporal
      vulnerable_at: 1.23.0
      packages:
        - package: Temporal Server
cves:
    - CVE-2024-2689
references:
    - web: https://github.com/temporalio/temporal/releases

[tatianab]

Duplicate of #2689