-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/stacklok/minder: CVE-2024-27093 #2582
Comments
Vuln in an internal package imported only by a binary. |
Change https://go.dev/cl/567817 mentions this issue: |
Change https://go.dev/cl/569597 mentions this issue: |
Change https://go.dev/cl/592778 mentions this issue: |
- data/reports/GO-2024-2521.yaml - data/reports/GO-2024-2434.yaml - data/reports/GO-2024-2537.yaml - data/reports/GO-2024-2432.yaml - data/reports/GO-2024-2483.yaml - data/reports/GO-2024-2480.yaml - data/reports/GO-2024-2433.yaml - data/reports/GO-2024-2530.yaml - data/reports/GO-2024-2556.yaml - data/reports/GO-2024-2472.yaml - data/reports/GO-2024-2540.yaml - data/reports/GO-2024-2560.yaml - data/reports/GO-2024-2561.yaml - data/reports/GO-2024-2590.yaml - data/reports/GO-2024-2428.yaml - data/reports/GO-2024-2508.yaml - data/reports/GO-2024-2592.yaml - data/reports/GO-2024-2511.yaml - data/reports/GO-2024-2491.yaml - data/reports/GO-2024-2479.yaml - data/reports/GO-2024-2509.yaml - data/reports/GO-2024-2589.yaml - data/reports/GO-2024-2496.yaml - data/reports/GO-2024-2505.yaml - data/reports/GO-2024-2558.yaml - data/reports/GO-2024-2430.yaml - data/reports/GO-2024-2594.yaml - data/reports/GO-2024-2431.yaml - data/reports/GO-2024-2488.yaml - data/reports/GO-2024-2495.yaml - data/reports/GO-2024-2557.yaml - data/reports/GO-2024-2442.yaml - data/reports/GO-2024-2593.yaml - data/reports/GO-2024-2512.yaml - data/reports/GO-2024-2528.yaml - data/reports/GO-2024-2529.yaml - data/reports/GO-2024-2588.yaml - data/reports/GO-2024-2562.yaml - data/reports/GO-2024-2441.yaml - data/reports/GO-2024-2591.yaml - data/reports/GO-2024-2477.yaml - data/reports/GO-2024-2448.yaml - data/reports/GO-2024-2510.yaml - data/reports/GO-2024-2564.yaml - data/reports/GO-2024-2476.yaml - data/reports/GO-2024-2527.yaml - data/reports/GO-2024-2481.yaml - data/reports/GO-2024-2445.yaml - data/reports/GO-2024-2457.yaml - data/reports/GO-2024-2446.yaml - data/reports/GO-2024-2447.yaml - data/reports/GO-2024-2501.yaml - data/reports/GO-2024-2440.yaml - data/reports/GO-2024-2500.yaml - data/reports/GO-2024-2444.yaml - data/reports/GO-2024-2550.yaml - data/reports/GO-2024-2523.yaml - data/reports/GO-2024-2516.yaml - data/reports/GO-2024-2531.yaml - data/reports/GO-2024-2595.yaml - data/reports/GO-2024-2520.yaml - data/reports/GO-2024-2582.yaml - data/reports/GO-2024-2485.yaml - data/reports/GO-2024-2541.yaml - data/reports/GO-2024-2563.yaml - data/reports/GO-2024-2532.yaml - data/reports/GO-2024-2450.yaml - data/reports/GO-2024-2515.yaml - data/reports/GO-2024-2499.yaml - data/reports/GO-2024-2514.yaml - data/reports/GO-2024-2535.yaml - data/reports/GO-2024-2458.yaml - data/reports/GO-2024-2449.yaml - data/reports/GO-2024-2549.yaml - data/reports/GO-2024-2517.yaml - data/reports/GO-2024-2478.yaml - data/reports/GO-2024-2559.yaml - data/reports/GO-2024-2486.yaml - data/reports/GO-2024-2513.yaml - data/reports/GO-2024-2565.yaml Updates #2521 Updates #2434 Updates #2537 Updates #2432 Updates #2483 Updates #2480 Updates #2433 Updates #2530 Updates #2556 Updates #2472 Updates #2540 Updates #2560 Updates #2561 Updates #2590 Updates #2428 Updates #2508 Updates #2592 Updates #2511 Updates #2491 Updates #2479 Updates #2509 Updates #2589 Updates #2496 Updates #2505 Updates #2558 Updates #2430 Updates #2594 Updates #2431 Updates #2488 Updates #2495 Updates #2557 Updates #2442 Updates #2593 Updates #2512 Updates #2528 Updates #2529 Updates #2588 Updates #2562 Updates #2441 Updates #2591 Updates #2477 Updates #2448 Updates #2510 Updates #2564 Updates #2476 Updates #2527 Updates #2481 Updates #2445 Updates #2457 Updates #2446 Updates #2447 Updates #2501 Updates #2440 Updates #2500 Updates #2444 Updates #2550 Updates #2523 Updates #2516 Updates #2531 Updates #2595 Updates #2520 Updates #2582 Updates #2485 Updates #2541 Updates #2563 Updates #2532 Updates #2450 Updates #2515 Updates #2499 Updates #2514 Updates #2535 Updates #2458 Updates #2449 Updates #2549 Updates #2517 Updates #2478 Updates #2559 Updates #2486 Updates #2513 Updates #2565 Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
Change https://go.dev/cl/606358 mentions this issue: |
- data/reports/GO-2024-2428.yaml - data/reports/GO-2024-2442.yaml - data/reports/GO-2024-2444.yaml - data/reports/GO-2024-2445.yaml - data/reports/GO-2024-2446.yaml - data/reports/GO-2024-2447.yaml - data/reports/GO-2024-2448.yaml - data/reports/GO-2024-2449.yaml - data/reports/GO-2024-2450.yaml - data/reports/GO-2024-2478.yaml - data/reports/GO-2024-2485.yaml - data/reports/GO-2024-2486.yaml - data/reports/GO-2024-2488.yaml - data/reports/GO-2024-2499.yaml - data/reports/GO-2024-2501.yaml - data/reports/GO-2024-2505.yaml - data/reports/GO-2024-2508.yaml - data/reports/GO-2024-2509.yaml - data/reports/GO-2024-2511.yaml - data/reports/GO-2024-2513.yaml - data/reports/GO-2024-2514.yaml - data/reports/GO-2024-2515.yaml - data/reports/GO-2024-2517.yaml - data/reports/GO-2024-2519.yaml - data/reports/GO-2024-2520.yaml - data/reports/GO-2024-2523.yaml - data/reports/GO-2024-2540.yaml - data/reports/GO-2024-2541.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2568.yaml - data/reports/GO-2024-2569.yaml - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2578.yaml - data/reports/GO-2024-2579.yaml - data/reports/GO-2024-2580.yaml - data/reports/GO-2024-2582.yaml - data/reports/GO-2024-2588.yaml - data/reports/GO-2024-2589.yaml - data/reports/GO-2024-2590.yaml - data/reports/GO-2024-2591.yaml - data/reports/GO-2024-2592.yaml - data/reports/GO-2024-2593.yaml - data/reports/GO-2024-2594.yaml - data/reports/GO-2024-2595.yaml - data/reports/GO-2024-2597.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2636.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2641.yaml Updates #2428 Updates #2442 Updates #2444 Updates #2445 Updates #2446 Updates #2447 Updates #2448 Updates #2449 Updates #2450 Updates #2478 Updates #2485 Updates #2486 Updates #2488 Updates #2499 Updates #2501 Updates #2505 Updates #2508 Updates #2509 Updates #2511 Updates #2513 Updates #2514 Updates #2515 Updates #2517 Updates #2519 Updates #2520 Updates #2523 Updates #2540 Updates #2541 Updates #2566 Updates #2568 Updates #2569 Updates #2576 Updates #2578 Updates #2579 Updates #2580 Updates #2582 Updates #2588 Updates #2589 Updates #2590 Updates #2591 Updates #2592 Updates #2593 Updates #2594 Updates #2595 Updates #2597 Updates #2629 Updates #2635 Updates #2636 Updates #2637 Updates #2641 Change-Id: If02ad5ae2b621addda56b45d8c84b0476a12737b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606358 Reviewed-by: Damien Neil <[email protected]> Auto-Submit: Tatiana Bradley <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
CVE-2024-27093 references github.com/stacklok/minder, which may be a Go module.
Description:
Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database). When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result. Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully. Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability. This vulnerability is patched in version 0.20240226.1425+ref.53868a8.
References:
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: