Back

CVE-2024-37904

June 18, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Minder

  • v0.0.52

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-400
2024-06-18
CVE-2024-37904

CVE-2024-37904 details

Published : June 18, 2024, 5:15 p.m.
Last Modified : June 18, 2024, 5:15 p.m.

Description

Minder is an open source Software Supply Chain Security Platform. Minder's Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the `github.com/go-git/go-git/v5` library on lines `L55-L89`. The Git provider does the following on the lines `L56-L62`. First, it sets the `CloneOptions`, specifying the url, the depth etc. It then validates the options. It then sets up an in-memory filesystem, to which it clones and Finally, it clones the repository. The `(g *Git) Clone()` method is vulnerable to a DoS attack: A Minder user can instruct Minder to clone a large repository which will exhaust memory and crash the Minder server. The root cause of this vulnerability is a combination of the following conditions: 1. Users can control the Git URL which Minder clones, 2. Minder does not enforce a size limit to the repository, 3. Minder clones the entire repository into memory. This issue has been addressed in commit `7979b43` which has been included in release version v0.0.52. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5.7 6 7 8 9 10

Weakness

Weakness Name Description
CWE-400 Uncontrolled Resource Consumption The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

5.7

Exploitability Score

2.1

Impact Score

3.6

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

References

URL Source
https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89 security-advisories@github.com
https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62 security-advisories@github.com
https://github.com/stacklok/minder/commit/7979b43 security-advisories@github.com
https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.