{
  "id": "CVE-2024-35238",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-05-27T18:15:09.920",
  "lastModified": "2024-11-21T09:19:59.900",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that Minders sigstore verifier reads an untrusted response entirely into memory without enforcing a limit on the response body. An attacker can exploit this by making Minder make a request to an attacker-controlled endpoint which returns a response with a large body which will crash the Minder server. Specifically, the point of failure is where Minder parses the response from the GitHub attestations endpoint in `getAttestationReply`. Here, Minder makes a request to the `orgs/$owner/attestations/$checksumref` GitHub endpoint (line 285) and then parses the response into the `AttestationReply` (line 295). The way Minder parses the response on line 295 makes it prone to DoS if the response is large enough. Essentially, the response needs to be larger than the machine has available memory.  Version 0.0.51 contains a patch for this issue.\n\nThe content that is hosted at the `orgs/$owner/attestations/$checksumref` GitHub attestation endpoint is controlled by users including unauthenticated users to Minders threat model. However, a user will need to configure their own Minder settings to cause Minder to make Minder send a request to fetch the attestations. The user would need to know of a package whose attestations were configured in such a way that they would return a large response when fetching them. As such, the steps needed to carry out this attack would look as such:\n\n1. The attacker adds a package to ghcr.io with attestations that can be fetched via the `orgs/$owner/attestations/$checksumref` GitHub endpoint.\n2. The attacker registers on Minder and makes Minder fetch the attestations.\n3. Minder fetches attestations and crashes thereby being denied of service."
    },
    {
      "lang": "es",
      "value": "Minder de Stacklok es una plataforma de seguridad de la cadena de suministro de software de c\u00f3digo abierto. Minder anterior a la versi\u00f3n 0.0.51 es vulnerable a un ataque de denegaci\u00f3n de servicio (DoS) que podr\u00eda permitir a un atacante bloquear el servidor Minder y negar el acceso a \u00e9l a otros usuarios. La causa principal de la vulnerabilidad es que el verificador del almac\u00e9n de firmas de Minders lee una respuesta que no es de confianza completamente en la memoria sin imponer un l\u00edmite en el cuerpo de la respuesta. Un atacante puede aprovechar esto haciendo que Minder realice una solicitud a un endpoint controlado por el atacante que devuelva una respuesta con un cuerpo grande que bloquear\u00e1 el servidor Minder. Espec\u00edficamente, el punto de falla es donde Minder analiza la respuesta del endpoint de atestaciones de GitHub en \"getAttestationReply\". Aqu\u00ed, Minder realiza una solicitud al endpoint de GitHub `orgs/$owner/attestations/$checksumref` (l\u00ednea 285) y luego analiza la respuesta en `AttestationReply` (l\u00ednea 295). La forma en que Minder analiza la respuesta en la l\u00ednea 295 la hace propensa a DoS si la respuesta es lo suficientemente grande. Esencialmente, la respuesta debe ser mayor que la memoria disponible de la m\u00e1quina. La versi\u00f3n 0.0.51 contiene un parche para este problema. El contenido alojado en el endpoint de atestaci\u00f3n de GitHub `orgs/$owner/attestations/$checksumref` est\u00e1 controlado por usuarios, incluidos los usuarios no autenticados, del modelo de amenazas de Minders. Sin embargo, un usuario deber\u00e1 configurar sus propios ajustes de Minder para que Minder haga que Minder env\u00ede una solicitud para recuperar las certificaciones. El usuario necesitar\u00eda conocer un paquete cuyas certificaciones estuvieran configuradas de tal manera que devolviera una respuesta grande al recuperarlas. Como tal, los pasos necesarios para llevar a cabo este ataque ser\u00edan los siguientes: 1. El atacante agrega un paquete a ghcr.io con certificaciones que se pueden recuperar a trav\u00e9s del endpoint de GitHub `orgs/$owner/attestations/$checksumref`. 2. El atacante se registra en Minder y hace que Minder busque las certificaciones. 3. Minder obtiene certificaciones y falla, por lo que se le niega el servicio."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    },
    {
      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw",
      "source": "af854a3a-2127-422b-91ae-364da2661108"
    }
  ]
}