SCA: security update for github.com/stacklok/minder (GHSA-8fmj-33gw-g7pw)

medium Tenable Cloud Security Plugin ID 412632

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Minder by Stacklok is an open source software supply chain security platform. Minder prior to version
0.0.51 is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder
server and deny other users access to it. The root cause of the vulnerability is that Minders sigstore
verifier reads an untrusted response entirely into memory without enforcing a limit on the response body.
An attacker can exploit this by making Minder make a request to an attacker-controlled endpoint which
returns a response with a large body which will crash the Minder server. Specifically, the point of
failure is where Minder parses the response from the GitHub attestations endpoint in
`getAttestationReply`. Here, Minder makes a request to the `orgs/$owner/attestations/$checksumref` GitHub
endpoint (line 285) and then parses the response into the `AttestationReply` (line 295). The way Minder
parses the response on line 295 makes it prone to DoS if the response is large enough. Essentially, the
response needs to be larger than the machine has available memory. Version 0.0.51 contains a patch for
this issue. The content that is hosted at the `orgs/$owner/attestations/$checksumref` GitHub attestation
endpoint is controlled by users including unauthenticated users to Minders threat model. However, a user
will need to configure their own Minder settings to cause Minder to make Minder send a request to fetch
the attestations. The user would need to know of a package whose attestations were configured in such a
way that they would return a large response when fetching them. As such, the steps needed to carry out
this attack would look as such: 1. The attacker adds a package to ghcr.io with attestations that can be
fetched via the `orgs/$owner/attestations/$checksumref` GitHub endpoint. 2. The attacker registers on
Minder and makes Minder fetch the attestations. 3. Minder fetches attestations and crashes thereby being
denied of service. (CVE-2024-35238)

See Also

https://github.com/advisories/GHSA-8fmj-33gw-g7pw

Plugin Details

Severity: Medium

ID: 412632

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-35238

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/28/2024

Vulnerability Publication Date: 5/27/2024

Reference Information

CVE: CVE-2024-35238

cwe: CWE-770