Lucene search

Veracode Vulnerability DatabaseVERACODE:47624

HistoryJun 19, 2024 - 5:22 a.m.

Denial Of Service (DoS)

2024-06-1905:22:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

input validation

git urls

minder users

memory exhaustion

server crashes

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

JSON

github.com/stacklok/minder is vulnerable to Denial Of Service (DoS). The vulnerability is due to a lack of input validation within the Clone() method when handling Git URLs provided by Minder users. The vulnerability allows Minder users to clone large repositories without enforcing size limits, leading to memory exhaustion and server crashes.

References

github.com/advisories/GHSA-hpcg-xjq5-g666

github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89

github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62

github.com/stacklok/minder/commit/35bab8f9a6025eea9e6e3cef6bd80707ac03d2a9

github.com/stacklok/minder/commit/7979b43

github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

AI Score

6.6

Confidence

High

JSON

Related for VERACODE:47624