Home > Vulnerability Database > CVE-2024-35194

Mend.io Vulnerability Database

CVE-2024-35194

Good to know:

Date: May 20, 2024

Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

Language: Go

Severity Score

5.3

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-35194

Url: https://github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27

Url: https://github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892

Url: https://github.com/stacklok/minder

Url: https://www.mend.io/vulnerability-database/CVE-2024-35194

Severity Score

5.3

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version fe321d345b4f738de6a06b13207addc72b59f892

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-35194

Good to know:

Date: May 20, 2024

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?