Skip to content

octo-sts vulnerable to unauthenticated attacker causing unbounded CPU and memory usage

Low severity GitHub Reviewed Published May 10, 2024 in octo-sts/app • Updated May 14, 2024

Package

gomod github.com/octo-sts/app (Go)

Affected versions

< 0.1.0

Patched versions

0.1.0

Description

Impact

This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service.

Patches

This vulnerability existed in the repository at HEAD, we will cut a 0.1.0 release with the fix.

Workarounds

None

References

None

References

@mattmoor mattmoor published to octo-sts/app May 10, 2024
Published to the GitHub Advisory Database May 13, 2024
Reviewed May 13, 2024
Published by the National Vulnerability Database May 14, 2024
Last updated May 14, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

CVE-2024-34079

GHSA ID

GHSA-75r6-6jg8-pfcq

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.