CVE-2024-34084
HIGH7.5EPSS 0.15%Denial of Service from untrusted requests in github.com/stacklok/minder
Published: 5/7/2024Modified: 5/20/2024
Description
HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service.
Affected packages (2)
- Go/github.com/stacklok/minderfrom 0, < 0.0.48
- Go/github.com/stacklok/minderfrom 0, < 0.0.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-34084
- PATCHhttps://github.com/stacklok/minder
- WEBhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L213-L218
- WEBhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L337-L342
- WEBhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L367-L377
- WEBhttps://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go#L278-L283
- WEBhttps://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
- WEBhttps://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7