CVE-2024-27916 `GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user

2024-03-0620:21:22

CWE-285

GitHub_M

github.com

minder

software

supply chain security

arbitrary access

getrepositorybyname

deleterepositorybyname

getartifactbyname

database

query

github

patch

cve-2024-27916

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

AI Score

6.5

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always github). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"
    ],
    "vendor": "stacklok",
    "product": "minder",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "0.0.33",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]