CVE-2024-27916

Name of the Vulnerable Software and Affected Versions Minder versions prior to 0.0.33

Description A Minder user can use the endpoints GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName to access any repository in the database, irrespective of who owns the repository and any permissions present. The database query checks by repo owner, repo name, and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repository. This issue affects any user and project in a multi-tenant Minder instance.

Recommendations To resolve this issue, update to version 0.0.33 or later. As a temporary workaround, consider restricting access to the GetRepositoryByName, DeleteRepositoryByName, and GetArtifactByName endpoints until a patch is applied. Additionally, restrict the use of the DeleteRepositoryByName function to prevent unauthorized deletion of repositories. Avoid using the GetArtifactByName endpoint until the issue is resolved.