data/reports: add GO-2024-2608.yaml Aliases: CVE-2024-27916, GHSA-v627-69v2-xx37 Fixes golang/vulndb#2608 Change-Id: I7b03aa4653c8ae2747be61b4ac26cf2030f457fd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/570717 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com>

commit: 38ea157c680e0b572788a02c88af2e8759691584 [log] [tgz]
author: Maceo Thompson <maceothompson@google.com> Sat Mar 09 15:25:28 2024 -0500
committer: Maceo Thompson <maceothompson@google.com> Mon Mar 11 20:07:44 2024 +0000
tree: 9628a2feea20ca8c3581778c8c745e504a768a29
parent: 8a964d64d73dda59f0fe48106dbc22ce1fbea672 [diff]
diff --git a/data/osv/GO-2024-2608.json b/data/osv/GO-2024-2608.json
new file mode 100644
index 0000000..48d4516
--- /dev/null
+++ b/data/osv/GO-2024-2608.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2608",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-27916",
+    "GHSA-v627-69v2-xx37"
+  ],
+  "summary": "Minder access control bypass in github.com/stacklok/minder",
+  "details": "A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always \"github\"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/stacklok/minder",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.33"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/stacklok/minder/internal/db",
+            "symbols": [
+              "Queries.GetRepositoryByRepoName"
+            ]
+          },
+          {
+            "path": "github.com/stacklok/minder/internal/controlplane",
+            "symbols": [
+              "EntityContextProjectInterceptor",
+              "ProjectAuthorizationInterceptor",
+              "Server.DeleteRepositoryByName",
+              "Server.GetArtifactByName",
+              "Server.GetRepositoryByName",
+              "Server.StartGRPCServer",
+              "TokenValidationInterceptor"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb"
+    }
+  ],
+  "credits": [
+    {
+      "name": "dmjb"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2608"
+  }
+}
\ No newline at end of file

diff --git a/data/reports/GO-2024-2608.yaml b/data/reports/GO-2024-2608.yaml
new file mode 100644
index 0000000..f504c85
--- /dev/null
+++ b/data/reports/GO-2024-2608.yaml

@@ -0,0 +1,40 @@
+id: GO-2024-2608
+modules:
+    - module: github.com/stacklok/minder
+      versions:
+        - fixed: 0.0.33
+      vulnerable_at: 0.0.32
+      packages:
+        - package: github.com/stacklok/minder/internal/db
+          symbols:
+            - Queries.GetRepositoryByRepoName
+        - package: github.com/stacklok/minder/internal/controlplane
+          symbols:
+            - Server.GetArtifactByName
+            - Server.GetRepositoryByName
+            - Server.DeleteRepositoryByName
+          derived_symbols:
+            - EntityContextProjectInterceptor
+            - ProjectAuthorizationInterceptor
+            - Server.StartGRPCServer
+            - TokenValidationInterceptor
+summary: Minder access control bypass in github.com/stacklok/minder
+description: |-
+    A Minder user can use the endpoints to access any repository in the DB,
+    irrespective of who owns the repo and any permissions that user may have. The DB
+    query used checks by repo owner, repo name and provider name (which is always
+    "github"). These query values are not distinct for the particular user, as long
+    as the user has valid credentials and a provider, they can set the repo
+    owner/name to any value they want and the server will return information on this
+    repo. DeleteRepositoryByName uses the same query and a user can delete another
+    user's repo using this technique. The GetArtifactByName endpoint also uses
+    this DB query.
+cves:
+    - CVE-2024-27916
+ghsas:
+    - GHSA-v627-69v2-xx37
+credits:
+    - dmjb
+references:
+    - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
+    - fix: https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
commit	38ea157c680e0b572788a02c88af2e8759691584	[log] [tgz]
author	Maceo Thompson <maceothompson@google.com>	Sat Mar 09 15:25:28 2024 -0500
committer	Maceo Thompson <maceothompson@google.com>	Mon Mar 11 20:07:44 2024 +0000
tree	9628a2feea20ca8c3581778c8c745e504a768a29
parent	8a964d64d73dda59f0fe48106dbc22ce1fbea672 [diff]