{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27093", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.993Z", "datePublished": "2024-02-26T21:57:25.101Z", "dateUpdated": "2024-08-27T19:43:28.099Z"}, "containers": {"cna": {"title": "Minder trusts client-provided mapping from repo name to upstream ID", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"}, {"name": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"version": "< 0.20240226.1425+ref.53868a8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T21:57:25.101Z"}, "descriptions": [{"lang": "en", "value": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8."}], "source": {"advisory": "GHSA-q6h8-4j2v-pjg4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:58.381Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"}, {"name": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"}]}, {"affected": [{"vendor": "stacklok", "product": "minder", "cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.20240226.1425\\+ref.53868a8", "versionType": "git"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-27T18:24:55.540745Z", "id": "CVE-2024-27093", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T19:43:28.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "name": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:58.381Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27093", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-27T18:24:55.540745Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stacklok:minder:*:*:*:*:*:*:*:*"], "vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "0", "lessThan": "0.20240226.1425\\+ref.53868a8", "versionType": "git"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T19:42:36.633Z"}}], "cna": {"title": "Minder trusts client-provided mapping from repo name to upstream ID", "source": {"advisory": "GHSA-q6h8-4j2v-pjg4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "< 0.20240226.1425+ref.53868a8"}]}], "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "name": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T21:57:25.101Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27093", "state": "PUBLISHED", "dateUpdated": "2024-08-27T19:43:28.099Z", "dateReserved": "2024-02-19T14:43:05.993Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-26T21:57:25.101Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:minder:*:*:*:*:*:go:*:*", "matchCriteriaId": "EAEBA7D3-AE9F-48EA-A40F-EEFB68C78EEA", "versionEndIncluding": "0.0.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8."}, {"lang": "es", "value": "Minder es una plataforma de seguridad de la cadena de suministro de software. En la versi\u00f3n 0.0.31 y anteriores, es posible que un atacante registre un repositorio con un ID ascendente no v\u00e1lido o diferente, lo que hace que Minder informe el repositorio como registrado, pero no solucione ning\u00fan cambio futuro que entre en conflicto con la pol\u00edtica (porque los webhooks para el repositorio no coinciden con ning\u00fan repositorio conocido en la base de datos). Al intentar registrar un repositorio con un ID de repositorio diferente, el proveedor registrado debe tener un administrador en el repositorio nombrado o se producir\u00e1 un error 404. De manera similar, si el token del proveedor almacenado no tiene acceso al repositorio, las soluciones no se aplicar\u00e1n correctamente. Por \u00faltimo, parece que las acciones de conciliaci\u00f3n no se ejecutan contra repos con este tipo de descalce. Esto parece ser principalmente una posible vulnerabilidad de denegaci\u00f3n de servicio. Esta vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 0.20240226.1425+ref.53868a8."}], "id": "CVE-2024-27093", "lastModified": "2025-02-05T16:37:05.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-26T22:15:07.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/stacklok/minder/commit/53868a878e93f29c43437f96dbc990b548e48d1d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-q6h8-4j2v-pjg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}