CVE-2024-37904
📋 TL;DR
Minder's Git provider is vulnerable to a denial-of-service attack where authenticated users can cause the Minder server to crash by instructing it to clone excessively large GitHub repositories. The vulnerability occurs because Minder clones repositories entirely into memory without size limits. This affects all Minder deployments where users can configure Git repository URLs.
💻 Affected Systems
- Minder Software Supply Chain Security Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete Minder server crash leading to service unavailability for all users, potentially requiring manual restart and causing data loss for in-progress operations.
Likely Case
Temporary service disruption when users intentionally or accidentally clone large repositories, causing memory exhaustion and process termination.
If Mitigated
With proper controls, the impact is limited to failed clone operations for oversized repositories without affecting overall service availability.
🎯 Exploit Status
Exploitation requires authenticated access to Minder but is trivial to execute by pointing to any large public or private repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.0.52
Vendor Advisory: https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666
Restart Required: Yes
Instructions:
1. Stop Minder service. 2. Update to v0.0.52 or later using package manager or direct download. 3. Restart Minder service. 4. Verify version with 'minder version' command.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement network-level controls to restrict Git repository access to trusted sources only
- Monitor memory usage and implement automatic restart policies for Minder processes
🔍 How to Verify
Check if Vulnerable:
Check Minder version: if version is earlier than v0.0.52, the system is vulnerable.Check Version:
minder versionVerify Fix Applied:
After patching, verify version is v0.0.52 or later and test cloning a repository to ensure it completes without memory exhaustion.📡 Detection & Monitoring
Log Indicators:
- Memory exhaustion errors
- Process termination/crash logs
- Failed Git clone operations with large repositories
Network Indicators:
- Unusually large Git clone operations to Minder server
SIEM Query:
source="minder.log" AND ("out of memory" OR "panic" OR "fatal error")🔗 References
- https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89
- https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62
- https://github.com/stacklok/minder/commit/7979b43
- https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666
- https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L55-L89
- https://github.com/stacklok/minder/blob/85985445c8ac3e51f03372e99c7b2f08a6d274aa/internal/providers/git/git.go#L56-L62
- https://github.com/stacklok/minder/commit/7979b43
- https://github.com/stacklok/minder/security/advisories/GHSA-hpcg-xjq5-g666
