PT-2024-24089 · Stacklok · Minder

Eleftherias

Published

2024-04-09

Updated

2024-06-04

CVE-2024-31455

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Minder by Stacklok versions prior to the version that includes pull request 2941

Description A recent refactoring added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue allows for a data leak.

Recommendations For versions prior to the patch in pull request 2941, revert prior to commit 5c381cf, or roll forward past 2eb94e7 to resolve the issue. As a temporary workaround, consider restricting access to the affected SQL query until a patch is available.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2024-31455

GHSA-GGP5-28X4-XCJ9

GO-2024-2701

Affected Products

Minder

PT-2024-24089 · Stacklok · Minder

CVE-2024-31455

Weakness Enumeration

Related Identifiers

Affected Products

References · 12