x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-hpcg-xjq5-g666 #2934

GoVulnBot · 2024-06-18T17:01:17Z

Advisory GHSA-hpcg-xjq5-g666 references a vulnerability in the following Go modules:

Module
github.com/stacklok/minder

Description:
Minder's Git provider is vulnerable to a denial of service from a maliciously
configured GitHub repository. The Git provider clones users repositories using
the github.com/go-git/go-git/v5 library on these lines:

https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89

The Git provider does the following on these lines:

First, it sets the CloneOptions, specifying the url, the depth etc:

https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62

It then validates th...

References:

Cross references:

Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-27093 #2582 NOT_IMPORTABLE
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-v627-69v2-xx37 #2608
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-ggp5-28x4-xcj9 #2701
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-9c5w-9q3f-3hv7 #2821
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35185 #2864
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35194 #2871
Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-35238 #2885

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/stacklok/minder
      versions:
        - fixed: 0.0.52
      vulnerable_at: 0.0.51
      packages:
        - package: github.com/stacklok/minder
summary: Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder
cves:
    - CVE-2024-37904
ghsas:
    - GHSA-hpcg-xjq5-g666
references:
    - advisory: https://github.com/advisories/GHSA-hpcg-xjq5-g666
    - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666
    - fix: https://github.com/stacklok/minder/commit/35bab8f9a6025eea9e6e3cef6bd80707ac03d2a9
source:
    id: GHSA-hpcg-xjq5-g666
    created: 2024-06-18T17:01:17.546428311Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-06-27T20:02:17Z

Change https://go.dev/cl/595636 mentions this issue: data/reports: add 15 unreviewed reports

tatianab added possible duplicate triaged labels Jun 20, 2024

tatianab self-assigned this Jun 25, 2024

tatianab mentioned this issue Jun 27, 2024

x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-37904 #2935

Closed

tatianab removed the possible duplicate label Jun 27, 2024

gopherbot closed this as completed in 1b6c74b Jun 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-hpcg-xjq5-g666 #2934

x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-hpcg-xjq5-g666 #2934

GoVulnBot commented Jun 18, 2024

gopherbot commented Jun 27, 2024

x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-hpcg-xjq5-g666 #2934

x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-hpcg-xjq5-g666 #2934

Comments

GoVulnBot commented Jun 18, 2024

gopherbot commented Jun 27, 2024