CVE-2024-27093

Name of the Vulnerable Software and Affected Versions Minder versions 0.0.31 and earlier Minder versions prior to 0.20240226.1425

Description The issue allows an attacker to register a repository with an invalid or differing upstream ID, causing Minder to report the repository as registered but not remediate future changes that conflict with policy. This is because the webhooks for the repository do not match any known repository in the database. To register a repository with a different ID, the registered provider must have admin access to the named repository, or a 404 error will result. If the stored provider token does not have repository access, remediations will not apply successfully. Reconciliation actions do not execute against repositories with this type of mismatch. This appears to be a potential denial-of-service vulnerability.

Recommendations For Minder versions 0.0.31 and earlier, update to version 0.20240226.1425 or later to resolve the issue. For Minder versions prior to 0.20240226.1425, update to version 0.20240226.1425 or later to resolve the issue. As a temporary workaround, consider restricting access to the RegisterRepository call to prevent attackers from registering repositories with invalid or differing upstream IDs.