CVE-2024-35238 Denial of service of Minder Server from maliciously crafted GitHub attestations

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

CVE-2024-35238

Summary: Minder by Stacklok (pre-0.0.51) is vulnerable to a DoS caused by the sigstore verifier reading an untrusted response without a size limit. An attacker can cause Minder to fetch attestations from a user-controlled GitHub endpoint (orgs/$owner/attestations/$checksumref) and feed a large re...