Lucene search

Veracode Vulnerability DatabaseVERACODE:45664

HistoryFeb 28, 2024 - 6:41 a.m.

Denial Of Service (DOS)

2024-02-2806:41:03

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

denial of service

improper validation

repository ids

mismatched webhooks

policy conflicts

vulnerability

4.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

github.com/stacklok/minder is vulnerable to Denial-of-service. The vulnerability due to improper validation of repository IDs during registration. This allows an attacker to register a repository with an invalid or differing upstream ID, causing Minder to inaccurately report the repository as registered without applying necessary remediations for future policy conflicts, due to mismatched webhooks not aligning with any known repository in the database.

CPENameOperatorVersion
github.com/stacklok/mindereqHEAD
github.com/stacklok/mindereqHEAD

CPE	Name	Operator	Version
	github.com/stacklok/minder	eq	HEAD
	github.com/stacklok/minder	eq	HEAD

References

github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d

github.com/stacklok/minder/pull/2432

github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4