Evankanderson

**Name of the Vulnerable Software and Affected Versions** Minder versions 0.0.31 and earlier Minder versions prior to 0.20240226.1425 **Description** The issue allows an attacker to register a repository with an invalid or differing upstream ID, causing Minder to report the repository as registered but not remediate future changes that conflict with policy. This is because the webhooks for the repository do not match any known repository in the database. To register a repository with a different ID, the registered provider must have admin access to the named repository, or a 404 error will result. If the stored provider token does not have repository access, remediations will not apply successfully. Reconciliation actions do not execute against repositories with this type of mismatch. This appears to be a potential denial-of-service vulnerability. **Recommendations** For Minder versions 0.0.31 and earlier, update to version 0.20240226.1425 or later to resolve the issue. For Minder versions prior to 0.20240226.1425, update to version 0.20240226.1425 or later to resolve the issue. As a temporary workaround, consider restricting access to the `RegisterRepository` call to prevent attackers from registering repositories with invalid or differing upstream IDs.

**Name of the Vulnerable Software and Affected Versions** knative.dev/func versions prior to 1.8.1 **Description** The issue affects developers using malicious or compromised third-party buildpacks, potentially exposing their registry credentials or local docker socket to a malicious `lifecycle` container. This issue only affects users who are using function buildpacks from third-parties. **Recommendations** For versions prior to 1.8.1, update to release 1.8.1 to resolve the issue. As a temporary workaround, consider pinning the builder image to a specific content-hash with a valid `lifecycle` image to mitigate the attack.