CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints GetRepositoryByName
, DeleteRepositoryByName
, and GetArtifactByName
to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always github
). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.
[
{
"cpes": [
"cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"
],
"vendor": "stacklok",
"product": "minder",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "0.0.33",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]
github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299
github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial