Vulnerability Report: GO-2024-2821

CVE-2024-34084, GHSA-9c5w-9q3f-3hv7
Affects: github.com/stacklok/minder
Published: May 10, 2024
Modified: May 20, 2024

HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service.

For detailed information about this vulnerability, visit https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7.

Affected Packages

Path

Go Versions

Symbols
github.com/stacklok/minder/internal/controlplane

before v0.0.48
- Server.HandleGitHubWebHook
- Server.StartHTTPServer

Aliases

CVE-2024-34084
GHSA-9c5w-9q3f-3hv7

References

https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7
https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L213-L218
https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L337-L342
https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go#L367-L377
https://github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go#L278-L283
https://vuln.go.dev/ID/GO-2024-2821.json

Credits

@AdamKorcz and @DavidKorczynski

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL