CVE-2024-35194

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35194
Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
Summary
  • (es) Minder es una plataforma de seguridad de la cadena de suministro de software. Antes de la versión 0.0.50, el motor Minder es susceptible a una denegación de servicio por agotamiento de la memoria que puede desencadenarse a partir de plantillas creadas con fines malintencionados. El motor Minder utiliza plantillas para generar cadenas para diversos casos de uso, como URL, mensajes para solicitudes de extracción y descripciones para avisos. En algunos casos, el usuario puede controlar tanto la plantilla como sus parámetros y, en un subconjunto de estos casos, Minder lee la plantilla generada por completo en la memoria. Cuando las plantillas de Minders cumplen ambas condiciones, un atacante puede generar plantillas lo suficientemente grandes como para que Minder agote la memoria y falle. Esta vulnerabilidad se solucionó en 0.0.50.
References () https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892 - () https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892 -
References () https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27 - () https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27 -

20 May 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-20 21:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35194

Mitre link : CVE-2024-35194

CVE.ORG link : CVE-2024-35194

JSON object : View

Products Affected

No product.

CWE
CWE-400

Uncontrolled Resource Consumption


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024