CVE-2024-35194

May 20, 2024, 9:15 p.m.

5.3
Medium

Description

Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

Product(s) Impacted

Product Versions
Minder
  • ['before 0.0.50']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27

Tags

security-advisories@github.com
CWE-400
2024-05-20
CVE-2024-35194

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: May 20, 2024, 9:15 p.m.
Last Modified: May 20, 2024, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.