GSD-2024-27093

Vulnerability from gsd - Updated: 2024-02-20 06:02
Details
Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database). When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result. Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully. Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability. This vulnerability is patched in version 0.20240226.1425+ref.53868a8.
Aliases
To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-27093"
      ],
      "details": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8.",
      "id": "GSD-2024-27093",
      "modified": "2024-02-20T06:02:29.340571Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-27093",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "minder",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.20240226.1425+ref.53868a8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "stacklok"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4",
            "refsource": "MISC",
            "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"
          },
          {
            "name": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d",
            "refsource": "MISC",
            "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-q6h8-4j2v-pjg4",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8."
          },
          {
            "lang": "es",
            "value": "Minder es una plataforma de seguridad de la cadena de suministro de software. En la versi\u00f3n 0.0.31 y anteriores, es posible que un atacante registre un repositorio con un ID ascendente no v\u00e1lido o diferente, lo que hace que Minder informe el repositorio como registrado, pero no solucione ning\u00fan cambio futuro que entre en conflicto con la pol\u00edtica (porque los webhooks para el repositorio no coinciden con ning\u00fan repositorio conocido en la base de datos). Al intentar registrar un repositorio con un ID de repositorio diferente, el proveedor registrado debe tener un administrador en el repositorio nombrado o se producir\u00e1 un error 404. De manera similar, si el token del proveedor almacenado no tiene acceso al repositorio, las soluciones no se aplicar\u00e1n correctamente. Por \u00faltimo, parece que las acciones de conciliaci\u00f3n no se ejecutan contra repos con este tipo de descalce. Esto parece ser principalmente una posible vulnerabilidad de denegaci\u00f3n de servicio. Esta vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 0.20240226.1425+ref.53868a8."
          }
        ],
        "id": "CVE-2024-27093",
        "lastModified": "2024-02-27T14:20:06.637",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 2.1,
              "impactScore": 2.5,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-26T22:15:07.113",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-20"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.