Skip to content

Denial of service of Minder Server with attacker-controlled REST endpoint

Moderate severity GitHub Reviewed Published May 16, 2024 in stacklok/minder • Updated May 16, 2024

Package

gomod github.com/stacklok/minder (Go)

Affected versions

< 0.0.49

Patched versions

0.0.49

Description

The Minder REST ingester is vulnerable to a denial of service attack via an attacker-controlled REST endpoint that can crash the Minder server.

The REST ingester allows users to interact with REST endpoints to fetch data for rule evaluation. When fetching data with the REST ingester, Minder sends a request to an endpoint and will use the data from the body of the response as the data to evaluate against a certain rule. Minder sends the request on these lines:
https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L131-L139

… and parses the response body on these lines:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L147-L150

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L196-L220

Minder creates the URL of the endpoint via templating on these lines:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L121-L123

As far as I can tell, at this stage in rule evaluation, users fully control the raw template and the params passed to the template via the RuleType type:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/pkg/api/protobuf/go/minder/v1/minder.pb.go#L6151-L6173

I have not seen anything that enforces users to only send requests to GitHub REST endpoints. If there is such a constraint, it limits the ease with which this vulnerability can be exploited, but it is still possible. If there is not such a constraint, it is easy to exploit this vuln.

When Minder parses the response from a remote endpoint, it reads the response entirely into memory on these lines:

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L207

and

https://github.com/stacklok/minder/blob/daccbc12e364e2d407d56b87a13f7bb24cbdb074/internal/engine/ingester/rest/rest.go#L213

If the response is sufficiently large, it can drain memory on the machine and crash the Minder server.

The attacker can control the remote REST endpoints that Minder sends requests to, and they can configure the remote REST endpoints to return responses with large bodies. They would then instruct Minder to send a request to their configured endpoint that would return the large response which would crash the Minder server.

References

@JAORMX JAORMX published to stacklok/minder May 16, 2024
Published by the National Vulnerability Database May 16, 2024
Published to the GitHub Advisory Database May 16, 2024
Reviewed May 16, 2024
Last updated May 16, 2024

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-35185

GHSA ID

GHSA-fjw8-3gp8-4cvx

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.