Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-p3et-zkgz-abct

Summary Minder is a software supply chain security platform. Prior to version 0.0.33, a Minder user can use the endpoints `GetRepositoryByName`, `DeleteRepositoryByName`, and `GetArtifactByName` to access any repository in the database, irrespective of who owns the repo and any permissions present. The database query checks by repo owner, repo name and provider name (which is always `github`). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. Version 0.0.33 contains a patch for this issue.

Aliases

alias	CVE-2024-27916

alias	GHSA-v627-69v2-xx37

Fixed_packages

url	pkg:golang/github.com/stacklok/minder@0.0.33
purl	pkg:golang/github.com/stacklok/minder@0.0.33
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:golang/github.com/stacklok/minder@0.0.33

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-27916

reference_id

reference_type

scores

value	0.00232
scoring_system	epss
scoring_elements	0.46279
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-27916

reference_url

https://github.com/stacklok/minder

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/stacklok/minder

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-27916

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-27916

reference_url

https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb

reference_id

45750b4e9fb2de33365758366e06c19e999bd2eb

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:38:55Z/

url

https://github.com/stacklok/minder/commit/45750b4e9fb2de33365758366e06c19e999bd2eb

reference_url

https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37

reference_id

GHSA-v627-69v2-xx37

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:38:55Z/

url

https://github.com/stacklok/minder/security/advisories/GHSA-v627-69v2-xx37

reference_url

https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299

reference_id

handlers_repositories.go#L257-L299

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:38:55Z/

url

https://github.com/stacklok/minder/blob/main/internal/controlplane/handlers_repositories.go#L257-L299

reference_url

https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

reference_id

handlers_repositories.go#L277-L278

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:38:55Z/

url

https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

Weaknesses

cwe_id	285
name	Improper Authorization
description	The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p3et-zkgz-abct

Vulnerability Instance