CVE-2024-34084 - Vulnerability Details - OpenCVE

Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00149.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-1551	Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.
Github GHSA	GHSA-9c5w-9q3f-3hv7	Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-07T14:12:19.954Z

Updated: 2024-08-02T02:42:59.894Z

Reserved: 2024-04-30T06:56:33.385Z

Link: CVE-2024-34084

Vulnrichment

Updated: 2024-08-02T02:42:59.894Z

NVD

Status : Awaiting Analysis

Published: 2024-05-07T15:15:09.540

Modified: 2024-11-21T09:18:03.513

Link: CVE-2024-34084

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34084", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-30T06:56:33.385Z", "datePublished": "2024-05-07T14:12:19.954Z", "dateUpdated": "2024-08-02T02:42:59.894Z"}, "containers": {"cna": {"title": "Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}, {"name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"version": "< 0.0.48", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:12:19.954Z"}, "descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}], "source": {"advisory": "GHSA-9c5w-9q3f-3hv7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34084", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:05:18.956707Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.48", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:25.762Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.894Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}, {"name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.894Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34084", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:05:18.956707Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.48", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T18:06:04.958Z"}}], "cna": {"title": "Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests", "source": {"advisory": "GHSA-9c5w-9q3f-3hv7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "< 0.0.48"}]}], "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:12:19.954Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34084", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:42:59.894Z", "dateReserved": "2024-04-30T06:56:33.385Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-07T14:12:19.954Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}, {"lang": "es", "value": "El `HandleGithubWebhook` de Minder es susceptible a un ataque de denegaci\u00f3n de servicio procedente de una solicitud HTTP que no es de confianza. La vulnerabilidad existe antes de que se haya validado la solicitud y, como tal, la solicitud a\u00fan no es confiable en el momento del error. Esto permite que un atacante con la capacidad de enviar solicitudes a \"HandleGithubWebhook\" bloquee el plano de control de Minder y niegue a otros usuarios su uso. Esta vulnerabilidad se solucion\u00f3 en 0.0.48."}], "id": "CVE-2024-34084", "lastModified": "2024-11-21T09:18:03.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-07T15:15:09.540", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}, {"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}