Skip to content

Temporal Server Denial of Service

Moderate severity GitHub Reviewed Published Apr 4, 2024 to the GitHub Advisory Database • Updated Apr 4, 2024

Package

gomod github.com/temporalio/temporal (Go)

Affected versions

>= 1.22.0-rc1, < 1.22.7
>= 1.21.0, < 1.21.6
< 1.20.5

Patched versions

1.22.7
1.21.6
1.20.5

Description

Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted. In this context, a user is an operator of Temporal Server.

References

Published by the National Vulnerability Database Apr 3, 2024
Published to the GitHub Advisory Database Apr 4, 2024
Reviewed Apr 4, 2024
Last updated Apr 4, 2024

Severity

Moderate
4.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-2689

GHSA ID

GHSA-wmxc-v39r-p9wf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.