CVE-2024-35194
📋 TL;DR
CVE-2024-35194 is a denial-of-service vulnerability in Minder's templating engine that allows attackers to cause memory exhaustion and crashes by submitting malicious templates. This affects Minder users who can control both templates and template parameters, potentially disrupting the software supply chain security platform. Organizations running Minder versions before 0.0.50 are vulnerable.
💻 Affected Systems
- Minder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Minder platform, halting software supply chain security monitoring and potentially affecting downstream CI/CD pipelines.
Likely Case
Temporary service outages requiring manual restart of Minder instances, disrupting security checks and policy enforcement.
If Mitigated
Minimal impact with proper input validation and resource limits in place, though some performance degradation may occur.
🎯 Exploit Status
Exploitation requires authenticated access with template creation permissions. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.50
Vendor Advisory: https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
Restart Required: Yes
Instructions:
1. Update Minder to version 0.0.50 or later using your package manager or deployment method. 2. Restart all Minder services. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Restrict Template Permissions
allLimit user permissions for creating or modifying templates to trusted administrators only.
Implement Resource Limits
linuxConfigure memory limits and process monitoring to automatically restart Minder if memory usage exceeds safe thresholds.
docker run --memory=2g minder-image
kubectl set resources deployment/minder --limits=memory=2Gi
🧯 If You Can't Patch
- Implement strict access controls to limit who can create or modify templates in Minder.
- Monitor Minder memory usage and set up alerts for abnormal memory consumption patterns.
🔍 How to Verify
Check if Vulnerable:
Check Minder version: if version is less than 0.0.50, the system is vulnerable.Check Version:
minder --version or check deployment manifest/configurationVerify Fix Applied:
Verify Minder version is 0.0.50 or higher and test template functionality with large inputs to ensure no memory exhaustion occurs.📡 Detection & Monitoring
Log Indicators:
- Memory exhaustion errors
- Minder process crashes/restarts
- Out of memory (OOM) killer events
- Abnormally large template processing requests
Network Indicators:
- Increased failed API responses from Minder
- Service unavailability alerts
SIEM Query:
source="minder" AND ("out of memory" OR "OOM" OR "panic" OR "crash")🔗 References
- https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
- https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
- https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
- https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27
