Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13bXhjLXYzOXItcDl3Zs4AA6nq
Temporal Server Denial of Service
Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted. In this context, a user is an operator of Temporal Server.
Permalink: https://github.com/advisories/GHSA-wmxc-v39r-p9wfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13bXhjLXYzOXItcDl3Zs4AA6nq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-wmxc-v39r-p9wf, CVE-2024-2689
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-2689
- https://github.com/temporalio/temporal/releases
- https://github.com/temporalio/temporal/commit/2099dfd945accbf794404c3b8d990d109de19f06
- https://github.com/temporalio/temporal/commit/679e3dc2ca8bd39e02c760f686cc8807f817bbfd
- https://github.com/temporalio/temporal/commit/f1fab97129f964dcca17d1f7c344f38666d1ee5f
- https://github.com/advisories/GHSA-wmxc-v39r-p9wf
Blast Radius: 1.0
Affected Packages
go:github.com/temporalio/temporal
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.20.5, >= 1.21.0, < 1.21.6, >= 1.22.0-rc1, < 1.22.7
Fixed in: 1.20.5, 1.21.6, 1.22.7
All affected versions: 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.7, 0.5.8, 0.5.9, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0, 0.9.4, 0.9.5, 0.9.8, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.20.0, 0.21.0, 0.21.1, 0.23.0, 0.23.1, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.30.0, 0.31.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.22.0, 1.22.0-rc1, 1.22.0-rc2, 1.22.1, 1.22.2, 1.22.3, 1.22.4, 1.22.5, 1.22.6
All unaffected versions: 1.20.5, 1.21.6, 1.22.7, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1