Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35194 #2871

Closed
GoVulnBot opened this issue May 20, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35194 #2871

GoVulnBot opened this issue May 20, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

CVE-2024-35194 references github.com/stacklok/minder, which may be a Go module.

Description:
Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/stacklok/minder
      vulnerable_at: 0.0.50
      packages:
        - package: minder
summary: CVE-2024-35194 in github.com/stacklok/minder
cves:
    - CVE-2024-35194
references:
    - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
    - fix: https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
source:
    id: CVE-2024-35194
    created: 2024-05-20T22:01:41.631827221Z
@zpavlinovic zpavlinovic mentioned this issue May 22, 2024
Closed
@zpavlinovic zpavlinovic self-assigned this May 22, 2024
@zpavlinovic zpavlinovic removed their assignment May 22, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590277 mentions this issue: data/reports: add 26 unreviewed reports

This was referenced Jun 18, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zpavlinovic @tatianab @gopherbot @GoVulnBot