blob: 5e2fc40b6ba15ff09682bf69fd8516bbab082378 [file] [log] [blame]
id: GO-2024-2608
modules:
- module: github.com/stacklok/minder
versions:
- fixed: 0.0.33
vulnerable_at: 0.0.32
packages:
- package: github.com/stacklok/minder/internal/db
symbols:
- Queries.GetRepositoryByRepoName
- package: github.com/stacklok/minder/internal/controlplane
symbols:
- Server.GetArtifactByName
- Server.GetRepositoryByName
- Server.DeleteRepositoryByName
derived_symbols:
- EntityContextProjectInterceptor
- ProjectAuthorizationInterceptor
- Server.StartGRPCServer
- TokenValidationInterceptor
summary: Minder access control bypass in github.com/stacklok/minder
description: |-
A Minder user can use the endpoints to access any repository in the DB,
irrespective of who owns the repo and any permissions that user may have. The DB
query used checks by repo owner, repo name and provider name (which is always
"github"). These query values are not distinct for the particular user, as long
as the user has valid credentials and a provider, they can set the repo
owner/name to any value they want and the server will return information on this
repo. DeleteRepositoryByName uses the same query and a user can delete another
user's repo using this technique. The GetArtifactByName endpoint also uses this
DB query.
cves:
- CVE-2024-27916
ghsas:
- GHSA-v627-69v2-xx37
credits:
- dmjb
references:
- advisory: https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37
- fix: https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb
review_status: REVIEWED