`GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user
Description
Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always github). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/stacklok/minderGo | < 0.0.33 | 0.0.33 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-v627-69v2-xx37ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27916ghsaADVISORY
- github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.goghsax_refsource_MISCWEB
- github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.goghsax_refsource_MISCWEB
- github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2ebghsax_refsource_MISCWEB
- github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.