| id: GO-2024-2608 |
| modules: |
| - module: github.com/stacklok/minder |
| versions: |
| - fixed: 0.0.33 |
| vulnerable_at: 0.0.32 |
| packages: |
| - package: github.com/stacklok/minder/internal/db |
| symbols: |
| - Queries.GetRepositoryByRepoName |
| - package: github.com/stacklok/minder/internal/controlplane |
| symbols: |
| - Server.GetArtifactByName |
| - Server.GetRepositoryByName |
| - Server.DeleteRepositoryByName |
| derived_symbols: |
| - EntityContextProjectInterceptor |
| - ProjectAuthorizationInterceptor |
| - Server.StartGRPCServer |
| - TokenValidationInterceptor |
| summary: Minder access control bypass in github.com/stacklok/minder |
| description: |- |
| A Minder user can use the endpoints to access any repository in the DB, |
| irrespective of who owns the repo and any permissions that user may have. The DB |
| query used checks by repo owner, repo name and provider name (which is always |
| "github"). These query values are not distinct for the particular user, as long |
| as the user has valid credentials and a provider, they can set the repo |
| owner/name to any value they want and the server will return information on this |
| repo. DeleteRepositoryByName uses the same query and a user can delete another |
| user's repo using this technique. The GetArtifactByName endpoint also uses this |
| DB query. |
| cves: |
| - CVE-2024-27916 |
| ghsas: |
| - GHSA-v627-69v2-xx37 |
| credits: |
| - dmjb |
| references: |
| - advisory: https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37 |
| - fix: https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb |
| review_status: REVIEWED |
