CVE-2024-27916
Minder access control bypass in github.com/stacklok/minder
Description
A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.
How to fix CVE-2024-27916
To remediate CVE-2024-27916, upgrade the affected package to a fixed version below.
- —upgrade to 0.0.33 or later
- —upgrade to 0.0.33 or later
Is CVE-2024-27916 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.0.33
- from 0, < 0.0.33
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
References (6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27916
- PATCHgithub.com/stacklok/minder
- WEBgithub.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278
- WEBgithub.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299