Go modules package
github.com/stacklok/minder
pkg:golang/github.com/stacklok/minder
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-37904 | Med | 5.7 | < 0.0.52 | 0.0.52 | Jun 18, 2024 | Minder is an open source Software Supply Chain Security Platform. Minder's Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the `github.com/go-git/go-git/v5` library on lines `L55-L | |
| CVE-2024-35238 | Med | 5.3 | < 0.0.51 | 0.0.51 | May 27, 2024 | Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnera | |
| CVE-2024-35194 | Med | 5.3 | < 0.0.50 | 0.0.50 | May 20, 2024 | Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cas | |
| CVE-2024-35185 | Med | 5.3 | < 0.0.49 | 0.0.49 | May 16, 2024 | Minder is a software supply chain security platform. Prior to version 0.0.49, the Minder REST ingester is vulnerable to a denial of service attack via an attacker-controlled REST endpoint that can crash the Minder server. The REST ingester allows users to interact with REST endpo | |
| CVE-2024-34084 | Hig | 7.5 | < 0.0.48 | 0.0.48 | May 7, 2024 | Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability | |
| CVE-2024-31455 | Med | 4.3 | >= 0.0.39, < 0.0.40 | 0.0.40 | Apr 9, 2024 | Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing pare | |
| CVE-2024-27916 | — | < 0.0.33 | 0.0.33 | Mar 6, 2024 | Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissio | ||
| CVE-2024-27093 | — | < 0.20240226.1425 | 0.20240226.1425 | Feb 26, 2024 | Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes wh |
- affected < 0.0.52fixed 0.0.52
Minder is an open source Software Supply Chain Security Platform. Minder's Git provider is vulnerable to a denial of service from a maliciously configured GitHub repository. The Git provider clones users repositories using the `github.com/go-git/go-git/v5` library on lines `L55-L
- affected < 0.0.51fixed 0.0.51
Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service (DoS) attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnera
- affected < 0.0.50fixed 0.0.50
Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cas
- affected < 0.0.49fixed 0.0.49
Minder is a software supply chain security platform. Prior to version 0.0.49, the Minder REST ingester is vulnerable to a denial of service attack via an attacker-controlled REST endpoint that can crash the Minder server. The REST ingester allows users to interact with REST endpo
- affected < 0.0.48fixed 0.0.48
Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability
- affected >= 0.0.39, < 0.0.40fixed 0.0.40
Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing pare
- CVE-2024-27916Mar 6, 2024affected < 0.0.33fixed 0.0.33
Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissio
- CVE-2024-27093Feb 26, 2024affected < 0.20240226.1425fixed 0.20240226.1425
Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes wh