CVE-2024-27916

🗓️ 06 Mar 2024 20:21:22Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 66 Views🌐 WEB

Prior to version 0.0.33, Minder software allows unauthorized access to any repository in the database

Reporter	Title	Published	Views	Family All 13
CNNVD	Minder 安全漏洞	21 Mar 202400:00	–	cnnvd
Cvelist	CVE-2024-27916 `GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user	6 Mar 202420:21	–	cvelist
EUVD	EUVD-2024-1009	3 Oct 202520:07	–	euvd
Github Security Blog	`GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user	5 Mar 202416:20	–	github
NVD	CVE-2024-27916	21 Mar 202402:52	–	nvd
OSV	CVE-2024-27916 `GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user	6 Mar 202420:21	–	osv
OSV	GHSA-V627-69V2-XX37 `GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user	5 Mar 202416:20	–	osv
OSV	GO-2024-2608 Minder access control bypass in github.com/stacklok/minder	11 Mar 202420:07	–	osv
Prion	Design/Logic Flaw	14 Mar 202422:53	–	prion
Positive Technologies	PT-2024-22133	5 Mar 202400:00	–	ptsecurity

NVD

Vulners

Vulnrichment

Node

lfprojects minderRange<0.0.33go

[
  {
    "vendor": "stacklok",
    "product": "minder",
    "versions": [
      {
        "version": "< 0.0.33",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
github	www.github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
github	www.github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go
github	www.github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go

Parameter	Position	Path	Description	CWE
owner	query param	/GetRepositoryByName	Endpoint allows access to any repository by manipulating owner/repo values, enabling unauthorized access.	CWE-285
repo	query param	/GetRepositoryByName	Endpoint allows access to any repository by manipulating owner/repo values, enabling unauthorized access.	CWE-285
provider	query param	/GetRepositoryByName	Endpoint allows access to any repository by manipulating owner/repo values, enabling unauthorized access.	CWE-285
owner	query param	/DeleteRepositoryByName	Endpoint allows deletion of any repository by manipulating owner/repo values, enabling unauthorized actions.	CWE-285
repo	query param	/DeleteRepositoryByName	Endpoint allows deletion of any repository by manipulating owner/repo values, enabling unauthorized actions.	CWE-285
provider	query param	/DeleteRepositoryByName	Endpoint allows deletion of any repository by manipulating owner/repo values, enabling unauthorized actions.	CWE-285
owner	query param	/GetArtifactByName	Endpoint allows retrieval of any artifact by manipulating owner/repo values, enabling unauthorized access.	CWE-285
repo	query param	/GetArtifactByName	Endpoint allows retrieval of any artifact by manipulating owner/repo values, enabling unauthorized access.	CWE-285
provider	query param	/GetArtifactByName	Endpoint allows retrieval of any artifact by manipulating owner/repo values, enabling unauthorized access.	CWE-285

02 Jan 2026 14:28Current

6.8Medium risk

Vulners AI Score6.8

CVSS 3.14.3 - 7.1

EPSS0.00232

SSVC

CWE-285