Description
Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
Patch x_refsource_misc
https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
Scores
CVSS v3
7.1
EPSS
0.0023
EPSS Percentile
45.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
lfprojects/minder
< 0.0.33
stacklok/minder
0 - 0.0.33Go
Published
Mar 21, 2024
Tracked Since
Feb 18, 2026