CVE-2024-35238: Denial of service of Minder Server from maliciously crafted GitHub attestations
Minder is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder server and deny other users access to it.
The root cause of the vulnerability is that Minders sigstore verifier reads an untrusted response entirely into memory without enforcing a limit on the response body. An attacker can exploit this by making Minder make a request to an attacker-controlled endpoint which returns a response with a large body which will crash the Minder server.
Specifically, the point of failure is where Minder parses the response from the GitHub attestations endpoint in getAttestationReply. Here, Minder makes a request to the orgs/$owner/attestations/$checksumref GitHub endpoint (line 285) and then parses the response into the AttestationReply (line 295):
References
- github.com/advisories/GHSA-8fmj-33gw-g7pw
- github.com/stacklok/minder
- github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go
- github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
- github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw
- nvd.nist.gov/vuln/detail/CVE-2024-35238
Detect and mitigate CVE-2024-35238 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →