3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34079

GHSA ID

GHSA-75r6-6jg8-pfcq

EPSS Score

0.17498%

CWE

CWE-400

Published

5/13/2024

Updated

7/5/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34079

CVE-2024-34079: octo-sts vulnerable to unauthenticated attacker causing unbounded CPU and memory usage

Impact

This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service.

Patches

This vulnerability existed in the repository at HEAD, we will cut a 0.1.0 release with the fix.

Workarounds

None

References

None

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-34079

CVE-2024-34079:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34079

GHSA ID

GHSA-75r6-6jg8-pfcq

EPSS Score

0.17498%

CWE

CWE-400

Published

5/13/2024

Updated

7/5/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/octo-sts/app	go	< 0.1.0	0.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from uncontrolled resource consumption during OIDC discovery. The patch added response size limiting via a custom RoundTripper in provider.go's Get function. Prior to the fix, the call to oidc.NewProvider used a default HTTP client without size restrictions, making this function the entry point for processing unbounded responses. The vulnerability manifests when this function handles large responses from attacker-controlled issuer URLs during provider setup.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-34079: octo-sts vulnerable to unauthenticated attacker causing unbounded CPU and memory usage

Impact

Patches

Workarounds

References

CVE-2024-34079:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.7

3.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2024-34079: octo-sts vulnerable to unauthenticated attacker causing unbounded CPU and memory usage

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI