CVE-2024-35238
📋 TL;DR
Minder versions prior to 0.0.51 are vulnerable to a denial-of-service attack where an attacker can crash the server by forcing it to process excessively large responses from GitHub attestation endpoints. This affects all Minder deployments using vulnerable versions, potentially denying service to legitimate users. The vulnerability requires attacker access to configure Minder settings.
💻 Affected Systems
- Stacklok Minder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Minder platform, disrupting software supply chain security monitoring for all users
Likely Case
Intermittent service disruptions when attackers target specific Minder instances
If Mitigated
No impact with proper response size limits and input validation
🎯 Exploit Status
Exploitation requires attacker to have Minder account and ability to configure packages with malicious attestations
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.51
Vendor Advisory: https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw
Restart Required: Yes
Instructions:
1. Stop Minder service. 2. Update to version 0.0.51 or later. 3. Restart Minder service. 4. Verify service is running correctly.
🔧 Temporary Workarounds
Limit GitHub attestation access
allRestrict which GitHub organizations/packages Minder can fetch attestations from
Configure Minder to only fetch attestations from trusted sources
Implement response size limits
linuxAdd middleware or proxy to enforce maximum response sizes for external API calls
Configure reverse proxy (nginx/haproxy) with client_max_body_size directive
🧯 If You Can't Patch
- Disable GitHub attestation verification feature in Minder configuration
- Implement network segmentation to isolate Minder from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Minder version: if version < 0.0.51, system is vulnerableCheck Version:
minder --version or check deployment manifest/configurationVerify Fix Applied:
Verify Minder version is 0.0.51 or later and test attestation fetching with large responses📡 Detection & Monitoring
Log Indicators:
- Minder process crashes
- Out of memory errors in logs
- Repeated failed attestation requests
Network Indicators:
- Large responses from GitHub API endpoints to Minder
- Unusual patterns in attestation requests
SIEM Query:
source="minder" AND ("panic" OR "out of memory" OR "attestation" AND "failed")🔗 References
- https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300
- https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
- https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw
- https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/verifier/sigstore/container/container.go#L271-L300
- https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892
- https://github.com/stacklok/minder/security/advisories/GHSA-8fmj-33gw-g7pw
