Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database).  When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result.  Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully.  Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability.  This vulnerability is patched in version 0.20240226.1425+ref.53868a8.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 05 Feb 2025 17:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Lfprojects Lfprojects minder | |
| Weaknesses | NVD-CWE-noinfo | |
| CPEs | cpe:2.3:a:lfprojects:minder:*:*:*:*:*:go:*:* | |
| Vendors & Products | Lfprojects Lfprojects minder | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-02-26T21:57:25.101Z
Updated: 2024-08-27T19:43:28.099Z
Reserved: 2024-02-19T14:43:05.993Z
Link: CVE-2024-27093
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-02T00:27:58.381Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-02-26T22:15:07.113
Modified: 2025-02-05T16:37:05.137
Link: CVE-2024-27093
 Redhat
                        Redhat
                    No data.