Lucene search

GitHub_MVULNRICHMENT:CVE-2024-34084

HistoryMay 07, 2024 - 2:12 p.m.

CVE-2024-34084 Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests

2024-05-0714:12:19

CWE-400

GitHub_M

github.com

minder

github webhook handler

denial of service

un-validated requests

vulnerability

http request

crash

controlplane

fixed

cve-2024-34084

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Minder’s HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to HandleGithubWebhook to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.

CNA Affected

[
  {
    "vendor": "stacklok",
    "product": "minder",
    "versions": [
      {
        "version": "< 0.0.48",
        "status": "affected"
      }
    ]
  }
]

References

github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d

github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for VULNRICHMENT:CVE-2024-34084