CVE-2024-27093

CVE-2024-27093 is a medium-severity improper input validation vulnerability in github.com/stacklok/minder (go), affecting versions < 0.20240226.1425. It is fixed in 0.20240226.1425.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Minder trusts client-provided mapping from repo name to upstream ID

When using a modified client or the grpc interface directly, the RegisterRepository call accepts both the repository owner / repo and the repo_id. Furthermore, these two are not checked for matching before registering webhooks and data in the database.

Details

It is possible for an attacker to register a repository with a invalid or differing upstream ID, which causes Minder to report the repository as registered, but not remediate any future changes which conflict with policy (because the webhooks for the repo do not match any known repository in the database). When attempting to register a repo with a different repo ID, the registered provider must have admin on the named repo, or a 404 error will result. Similarly, if the stored provider token does not have repo access, then the remediations will not apply successfully. Lastly, it appears that reconciliation actions do not execute against repos with this type of mismatch.

PoC

With an RPC like the following text proto:

context {
  ...
}
repository {
  owner: "Stacklok-Demo-Org"
  repo: "python-app"
  # repo_id is defaulted to 0
}

I was able to produce the following minder output:

+--------------------------------------+--------------------------------------+----------+-------------+-------------------+------------+
|                  ID                  |               PROJECT                | PROVIDER | UPSTREAM ID |       OWNER       |    NAME    |
+--------------------------------------+--------------------------------------+----------+-------------+-------------------+------------+
| da3acba4-ef66-4d9b-b41e-250869107fd5 | f9f4aef0-74af-4909-a0c3-0e8ac7fbc38d | github   |           0 | Stacklok-Demo-Org | python-app |
+--------------------------------------+--------------------------------------+----------+-------------+-------------------+------------+
| 7cf8f7b8-b19b-40dd-a96b-b88bb1ef5563 | f9f4aef0-74af-4909-a0c3-0e8ac7fbc38d | github   |   762029128 | evankanderson     | bad-python |
+--------------------------------------+--------------------------------------+----------+-------------+-------------------+------------+
$ gh api repos/Stacklok-Demo-Org/python-app | jq .id                  
762029128

I've registered bad-python with the ID of python-app, and python-app with an ID of 0.

Impact

This appears to primarily be a potential denial-of-service vulnerability.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2024-27093 has a CVSS score of 4.6 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.20240226.1425); upgrading removes the vulnerable code path.

Affected versions

github.com/stacklok/minder (< 0.20240226.1425)

Security releases

github.com/stacklok/minder → 0.20240226.1425 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade github.com/stacklok/minder to 0.20240226.1425 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2024-27093? CVE-2024-27093 is a medium-severity improper input validation vulnerability in github.com/stacklok/minder (go), affecting versions < 0.20240226.1425. It is fixed in 0.20240226.1425. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2024-27093? CVE-2024-27093 has a CVSS score of 4.6 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/stacklok/minder are affected by CVE-2024-27093? github.com/stacklok/minder (go) versions < 0.20240226.1425 is affected.
  4. Is there a fix for CVE-2024-27093? Yes. CVE-2024-27093 is fixed in 0.20240226.1425. Upgrade to this version or later.
  5. Is CVE-2024-27093 exploitable, and should I be worried? Whether CVE-2024-27093 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2024-27093 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2024-27093? Upgrade github.com/stacklok/minder to 0.20240226.1425 or later.

Other vulnerabilities in github.com/stacklok/minder

Stop the waste.
Protect your environment with Kodem.