{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34084", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-30T06:56:33.385Z", "datePublished": "2024-05-07T14:12:19.954Z", "dateUpdated": "2024-08-02T02:42:59.894Z"}, "containers": {"cna": {"title": "Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}, {"name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"version": "< 0.0.48", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:12:19.954Z"}, "descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}], "source": {"advisory": "GHSA-9c5w-9q3f-3hv7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34084", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:05:18.956707Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.48", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:25.762Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.894Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}, {"name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:42:59.894Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34084", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:05:18.956707Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.48", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T18:06:04.958Z"}}], "cna": {"title": "Minder's Github Webhook Handler vulnerable to denial of service from un-validated requests", "source": {"advisory": "GHSA-9c5w-9q3f-3hv7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "< 0.0.48"}]}], "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "name": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T14:12:19.954Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34084", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:42:59.894Z", "dateReserved": "2024-04-30T06:56:33.385Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-07T14:12:19.954Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48."}, {"lang": "es", "value": "El `HandleGithubWebhook` de Minder es susceptible a un ataque de denegaci\u00f3n de servicio procedente de una solicitud HTTP que no es de confianza. La vulnerabilidad existe antes de que se haya validado la solicitud y, como tal, la solicitud a\u00fan no es confiable en el momento del error. Esto permite que un atacante con la capacidad de enviar solicitudes a \"HandleGithubWebhook\" bloquee el plano de control de Minder y niegue a otros usuarios su uso. Esta vulnerabilidad se solucion\u00f3 en 0.0.48."}], "id": "CVE-2024-34084", "lastModified": "2024-05-07T20:07:58.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-07T15:15:09.540", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d"}, {"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}