Miggo Logo
Miggo Vulnerability Database
CVE-2024-34079

CVE-2024-34079: octo-sts vulnerable to unauthenticated attacker causing unbounded CPU and memory usage

3.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34079
GHSA ID
GHSA-75r6-6jg8-pfcq
EPSS Score
0.17498%
CWE
CWE-400
Published
5/13/2024
Updated
7/5/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/octo-sts/appgo< 0.1.00.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from uncontrolled resource consumption during OIDC discovery. The patch added response size limiting via a custom RoundTripper in provider.go's Get function. Prior to the fix, the call to oidc.NewProvider used a default HTTP client without size restrictions, making this function the entry point for processing unbounded responses. The vulnerability manifests when this function handles large responses from attacker-controlled issuer URLs during provider setup.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **n spik* t** r*sour** utiliz*tion o* t** STS s*rvi**, *n* *om*in** wit* * si*ni*i**nt tr***i* volum* *oul* pot*nti*lly l*** to * **ni*l o* s*rvi**. ### P*t***s T*is vuln*r**ility *xist** in t** r*pository *t ****, w* w

Reasoning

T** vuln*r**ility st*mm** *rom un*ontroll** r*sour** *onsumption *urin* OI** *is*ov*ry. T** p*t** ***** r*spons* siz* limitin* vi* * *ustom Roun*Tripp*r in provi**r.*o's **t *un*tion. Prior to t** *ix, t** **ll to oi**.N*wProvi**r us** * ****ult *TTP