5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35194

GHSA ID

GHSA-crgc-2583-rw27

EPSS Score

0.49866%

CWE

CWE-400

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-35194

CVE-2024-35194: Stacklok Minder vulnerable to denial of service from maliciously crafted templates

Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates.

Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash.

One of these places is the REST ingester:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123

With control over both endpoint and retp on the following line:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121

… an attacker can make Minder generate a large template that Minder reads into memory on the following line by invoking endpoint.String():

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L131

Consider this example:

package main

import (
        "fmt"
        "html/template"
        "os"
)

type EndpointTemplateParams struct {
        // Params are the parameters to be used in the template
        Params map[string]any
}

func main() {
        retp := &EndpointTemplateParams{
                Params: map[string]any{
                        "params": make([]string, 10),
                },
        }
        fmt.Println(retp)
        const templ = `
        {{range $idx, $e := .Params.params}}
    loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}
        {{range $idx, $e := .Params.params}}
    loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}
        {{range $idx, $e := .Params.params}}
    loooooooooooooooooooooooooooooooong-string-{{$idx}}
{{end}}`
        tmpl := template.Must(template.New("").Parse(templ))
        if err := tmpl.Execute(os.Stdout, retp); err != nil {
                panic(err)
        }
}

This example imitates the behavior on these lines:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L115-L123

Running this example generates the following template:

    loooooooooooooooooooooooooooooooong-string-0

    loooooooooooooooooooooooooooooooong-string-1

    loooooooooooooooooooooooooooooooong-string-2

    loooooooooooooooooooooooooooooooong-string-3

    loooooooooooooooooooooooooooooooong-string-4

    loooooooooooooooooooooooooooooooong-string-5

    loooooooooooooooooooooooooooooooong-string-6

    loooooooooooooooooooooooooooooooong-string-7

    loooooooooooooooooooooooooooooooong-string-8

    loooooooooooooooooooooooooooooooong-string-9


    loooooooooooooooooooooooooooooooong-string-0

    loooooooooooooooooooooooooooooooong-string-1

    loooooooooooooooooooooooooooooooong-string-2

    loooooooooooooooooooooooooooooooong-string-3

    loooooooooooooooooooooooooooooooong-string-4

    loooooooooooooooooooooooooooooooong-string-5

    loooooooooooooooooooooooooooooooong-string-6

    loooooooooooooooooooooooooooooooong-string-7

    loooooooooooooooooooooooooooooooong-string-8

    loooooooooooooooooooooooooooooooong-string-9


    loooooooooooooooooooooooooooooooong-string-0

    loooooooooooooooooooooooooooooooong-string-1

    loooooooooooooooooooooooooooooooong-string-2

    loooooooooooooooooooooooooooooooong-string-3

    loooooooooooooooooooooooooooooooong-string-4

    loooooooooooooooooooooooooooooooong-string-5

    loooooooooooooooooooooooooooooooong-string-6

    loooooooooooooooooooooooooooooooong-string-7

    loooooooooooooooooooooooooooooooong-string-8

    loooooooooooooooooooooooooooooooong-string-9

A malicious user can call the loop more times, increase the loop count and/or make the repeated long string longer to make the size of the template bigger.

A sufficiently large template will consume a lot of memory on this line which will exhaust memory on the machine and crash the Minder server:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121

Minder should enforce a limit to generated templates before reading them into memory.

The following templates are believed to be vulnerable:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121

https://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L199

https://github.com/stacklok/minder/blob/e7f9914de9af5a69e3e6fe2bdfaaf22e62be42c0/internal/engine/actions/remediate/pull_request/pull_request.go#L510

Minder has a few other templates especially in its engine which needs reviewing too. As a default, all templates should be limited in size before Minder reads them into memory.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35194

GHSA ID

GHSA-crgc-2583-rw27

EPSS Score

0.49866%

CWE

CWE-400

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/stacklok/minder	go	< 0.0.50	0.0.50

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from template execution paths where: 1) Both template content and parameters are user-controllable 2) The executed template output is read fully into memory without size limits. The REST ingester's newRequest (via endpoint.String()) and pull request remediation handlers directly process untrusted templates through text/template execution. These functions lack the memory safeguards shown in the patch (io.LimitReader) applied to other similar components, making them susceptible to DoS via memory exhaustion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Min**r *n*in* is sus**pti*l* to * **ni*l o* s*rvi** *rom m*mory *x**ustion t**t **n ** tri***r** *rom m*li*iously *r**t** t*mpl*t*s. Min**r *n*in* us*s t*mpl*tin* to **n*r*t* strin*s *or v*rious us* **s*s su** *s URLs, m*ss***s *or pull r*qu*sts, **

Reasoning

T** vuln*r**ility st*ms *rom t*mpl*t* *x**ution p*t*s w**r*: *) *ot* t*mpl*t* *ont*nt *n* p*r*m*t*rs *r* us*r-*ontroll**l* *) T** *x**ut** t*mpl*t* output is r*** *ully into m*mory wit*out siz* limits. T** R*ST in**st*r's `n*wR*qu*st` (vi* `*n*point.

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-35194: Stacklok Minder vulnerable to denial of service from maliciously crafted templates

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI