CVE-2024-27093
Minder trusts client-provided mapping from repo name to upstream ID
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database). When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result. Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully. Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability. This vulnerability is patched in version 0.20240226.1425+ref.53868a8.
Minder es una plataforma de seguridad de la cadena de suministro de software. En la versión 0.0.31 y anteriores, es posible que un atacante registre un repositorio con un ID ascendente no válido o diferente, lo que hace que Minder informe el repositorio como registrado, pero no solucione ningún cambio futuro que entre en conflicto con la política (porque los webhooks para el repositorio no coinciden con ningún repositorio conocido en la base de datos). Al intentar registrar un repositorio con un ID de repositorio diferente, el proveedor registrado debe tener un administrador en el repositorio nombrado o se producirá un error 404. De manera similar, si el token del proveedor almacenado no tiene acceso al repositorio, las soluciones no se aplicarán correctamente. Por último, parece que las acciones de conciliación no se ejecutan contra repos con este tipo de descalce. Esto parece ser principalmente una posible vulnerabilidad de denegación de servicio. Esta vulnerabilidad está parcheada en la versión 0.20240226.1425+ref.53868a8.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-02-19 CVE Reserved
- 2024-02-26 CVE Published
- 2024-02-27 EPSS Updated
- 2024-08-27 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d | X_refsource_misc | |
https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Stacklok Search vendor "Stacklok" | Minder Search vendor "Stacklok" for product "Minder" | < 0.20240226.1425 Search vendor "Stacklok" for product "Minder" and version " < 0.20240226.1425" | en |
Affected
|