QwikSec

Security Database

CVE

CWE

Training

CVE-2024-27916

Published: Mar 6, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.

Vendor	Product	Versions
stacklok	minder	affected `< 0.0.33`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

References

https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37

x_refsource_CONFIRM

https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb

x_refsource_MISC

https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

x_refsource_MISC

https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2024-27916 | HIGH (7.1) - Security Vulnerability | QwikSec