Home > Vulnerability Database > CVE-2024-27916

Mend.io Vulnerability Database

CVE-2024-27916

Good to know:

Date: March 6, 2024

Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.

Language: Go

Severity Score

7.1

Related Resources (6)

Url: https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37

Url: https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27916

Url: https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299

Url: https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb

Url: https://www.mend.io/vulnerability-database/CVE-2024-27916

Severity Score

7.1

Top Fix

Upgrade Version

Upgrade to version v0.0.33

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27916

Good to know:

Date: March 6, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?