CVE-2024-27093

The CVE-2024-27093 issue affects Minder (github.com/stacklok/minder) where client-provided mapping from repository name to upstream ID is trusted. In versions up to 0.0.31, an attacker could register a repository with an invalid or mismatched upstream ID, causing Minder to mark the repo as regist...

CVE-2024-27916

Minder prior to version 0.0.33 is affected by an access-control flaw where authenticated users can leverage GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database. The underlying issue is that the DB query checks repo owner, repo name, and prov...