CVE-2024-37904: Minder affected by denial of service from maliciously configured Git repository
Minder’s Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the github.com/go-git/go-git/v5 library on these lines:
The Git provider does the following on these lines:
First, it sets the CloneOptions, specifying the url, the depth etc:
It then validates the options:
It then sets up an in-memory filesystem, to which it clones:
Finally, it clones the repository:
This (g *Git) Clone() method is vulnerable to a DoS attack: A Minder user can instruct Minder to clone a large repository which will exhaust memory and crash the Minder server. The root cause of this vulnerability is a combination of the following conditions:
- Users can control the Git URL which Minder clones.
- Minder does not enforce a size limit to the repository.
- Minder clones the entire repository into memory.
References
- github.com/advisories/GHSA-hpcg-xjq5-g666
- github.com/stacklok/minder
- github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go
- github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go
- github.com/stacklok/minder/commit/35bab8f9a6025eea9e6e3cef6bd80707ac03d2a9
- github.com/stacklok/minder/commit/7979b43
- github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666
- nvd.nist.gov/vuln/detail/CVE-2024-37904
Detect and mitigate CVE-2024-37904 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →