x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-34084

[GoVulnBot]

CVE-2024-34084 references github.com/stacklok/minder, which may be a Go module.

Description:
Minder's HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to HandleGithubWebhook to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34084
• JSON: https://github.com/CVEProject/cvelist/tree/8a1bfe093d35c3163e8fcb023088ba125833cf49/2024/34xxx/CVE-2024-34084.json
• advisory: GHSA-9c5w-9q3f-3hv7
• fix: mindersec/minder@3e5a527
• Imported by: https://pkg.go.dev/github.com/stacklok/minder?tab=importedby

Cross references:

• Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-27093 #2582 NOT_IMPORTABLE
• Module github.com/stacklok/minder appears in issue x/vulndb: potential Go vuln in github.com/stacklok/minder: GHSA-v627-69v2-xx37 #2608

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/stacklok/minder
      vulnerable_at: 0.0.48
      packages:
        - package: minder
summary: CVE-2024-34084 in github.com/stacklok/minder
cves:
    - CVE-2024-34084
references:
    - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7
    - fix: https://github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
source:
    id: CVE-2024-34084

[timothy-king]

Duplicate of #2821

[gopherbot]

Change https://go.dev/cl/584256 mentions this issue: data/reports: add GO-2024-2821.yaml