Description
Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to `HandleGithubWebhook` to crash the Minder controlplane and deny other users from using it. This vulnerability is fixed in 0.0.48.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
stacklok/minder
0 - 0.0.48Go
stacklok/minder
< 0.0.48
Published
May 07, 2024
Tracked Since
Feb 18, 2026