Back

CVE-2024-35194

May 20, 2024, 9:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Minder

  • before 0.0.50

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-400
2024-05-20
CVE-2024-35194

CVE-2024-35194 details

Published : May 20, 2024, 9:15 p.m.
Last Modified : May 20, 2024, 9:15 p.m.

Description

Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

CVSS Score

1 2 3 4 5.3 6 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

5.3

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

References

URL Source
https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892 security-advisories@github.com
https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.