Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35238 #2885

Closed
GoVulnBot opened this issue May 27, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35238 #2885

GoVulnBot opened this issue May 27, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

CVE-2024-35238 references github.com/stacklok/minder, which may be a Go module.

Description:
Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that Minders sigstore verifier reads an untrusted response entirely into memory without enforcing a limit on the response body. An attacker can exploit this by making Minder make a request to an attacker-controlled endpoint which returns a response with a large body which will crash the Minder server. Specifically, the point of failure is where Minder parses the response from the GitHub attestations endpoint in getAttestationReply. Here, Minder makes a request to the orgs/$owner/attestations/$checksumref GitHub endpoint (line 285) and then parses the response into the AttestationReply (line 295). The way Minder parses the response on line 295 makes it prone to DoS if the response is large enough. Essentially, the response needs to be larger than the machine has available memory. Version 0.0.51 contains a patch for this issue.

The content that is hosted at the orgs/$owner/attestations/$checksumref GitHub attestation endpoint is controlled by users including unauthenticated users to Minders threat model. However, a user will need to configure their own Minder settings to cause Minder to make Minder send a request to fetch the attestations. The user would need to know of a package whose attestations were configured in such a way that they would return a large response when fetching them. As such, the steps needed to carry out this attack would look as such:

  1. The attacker adds a package to ghcr.io with attestations that can be fetched via the orgs/$owner/attestations/$checksumref GitHub endpoint.
  2. The attacker registers on Minder and makes Minder fetch the attestations.
  3. Minder fetches attestations and crashes thereby being denied of service.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/stacklok/minder
      vulnerable_at: 0.0.51
      packages:
        - package: minder
summary: CVE-2024-35238 in github.com/stacklok/minder
cves:
    - CVE-2024-35238
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-35238
    - fix: https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
    - web: https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300
    - web: https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw
source:
    id: CVE-2024-35238
    created: 2024-05-27T19:01:29.282888621Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590277 mentions this issue: data/reports: add 26 unreviewed reports

This was referenced Jun 18, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot