Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Minder trusts client-provided mapping from repo name to upstream ID
Vulnerability Description
Minder is a Software Supply Chain Security Platform. In version 0.0.31 and earlier, it is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database). When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result. Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully. Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch. This appears to primarily be a potential denial-of-service vulnerability. This vulnerability is patched in version 0.20240226.1425+ref.53868a8.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Vulnerability Type
输入验证不恰当
Vulnerability Title
Minder 安全漏洞
Vulnerability Description
Minder是一个开源平台,可帮助开发团队和开源社区构建更安全的软件,并向其他人证明他们构建的软件是安全的。 Minder 0.0.31及之前版本存在安全漏洞,该漏洞源于攻击者可能会使用无效或不同的上游ID注册存储库,这会导致潜在的拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A