Medium severity4.3OSV Advisory· Published Apr 9, 2024· Updated Jun 17, 2026
CVE-2024-31455
CVE-2024-31455
Description
Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit 5c381cf added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to 5c381cf, or roll forward past 2eb94e7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/stacklok/minderGo | >= 0.0.39, < 0.0.40 | 0.0.40 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-ggp5-28x4-xcj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-31455ghsaADVISORY
- github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4nvdWEB
- github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014bnvdWEB
- github.com/stacklok/minder/pull/2941nvdWEB
- github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9nvdWEB
News mentions
0No linked articles in our index yet.