CVE-2024-31455 - Vulnerability Details - OpenCVE

Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to `5c381cf`, or roll forward past `2eb94e7`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00448.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4
https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b
https://github.com/stacklok/minder/pull/2941
https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-09T16:52:03.254Z

Updated: 2024-08-02T01:52:56.973Z

Reserved: 2024-04-03T17:55:32.646Z

Link: CVE-2024-31455

Vulnrichment

Updated: 2024-07-05T12:48:46.822Z

NVD

Status : Deferred

Published: 2024-04-09T17:16:03.043

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-31455

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31455", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-03T17:55:32.646Z", "datePublished": "2024-04-09T16:52:03.254Z", "dateUpdated": "2024-08-02T01:52:56.973Z"}, "containers": {"cna": {"title": "Minder GetRepositoryByName data leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9"}, {"name": "https://github.com/stacklok/minder/pull/2941", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/pull/2941"}, {"name": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4"}, {"name": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b", "tags": ["x_refsource_MISC"], "url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b"}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"version": "= 0.0.39", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T16:52:03.254Z"}, "descriptions": [{"lang": "en", "value": "Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to `5c381cf`, or roll forward past `2eb94e7`."}], "source": {"advisory": "GHSA-ggp5-28x4-xcj9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T19:55:31.110388Z", "id": "CVE-2024-31455", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T12:48:49.143Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:52:56.973Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9"}, {"name": "https://github.com/stacklok/minder/pull/2941", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/pull/2941"}, {"name": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4"}, {"name": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T19:55:31.110388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T12:48:46.822Z"}}], "cna": {"title": "Minder GetRepositoryByName data leak", "source": {"advisory": "GHSA-ggp5-28x4-xcj9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "stacklok", "product": "minder", "versions": [{"status": "affected", "version": "= 0.0.39"}]}], "references": [{"url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9", "name": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/stacklok/minder/pull/2941", "name": "https://github.com/stacklok/minder/pull/2941", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4", "name": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b", "name": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to `5c381cf`, or roll forward past `2eb94e7`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-09T16:52:03.254Z"}}}, "cveMetadata": {"cveId": "CVE-2024-31455", "state": "PUBLISHED", "dateUpdated": "2024-07-05T12:48:49.143Z", "dateReserved": "2024-04-03T17:55:32.646Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-09T16:52:03.254Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to `5c381cf`, or roll forward past `2eb94e7`."}, {"lang": "es", "value": "Minder de Stacklok es una plataforma de seguridad de la cadena de suministro de software de c\u00f3digo abierto. Una refactorizaci\u00f3n en el commit `5c381cf` agreg\u00f3 la capacidad de registrar repositorios de GitHub en un proyecto sin especificar un proveedor espec\u00edfico. Desafortunadamente, a la consulta SQL para hacerlo le faltaba par\u00e9ntesis y seleccionaba un repositorio aleatorio. Este problema se solucion\u00f3 en la solicitud de extracci\u00f3n 2941. Como workaround, revierta antes de `5c381cf` o avance m\u00e1s all\u00e1 de `2eb94e7`."}], "id": "CVE-2024-31455", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-09T17:16:03.043", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4"}, {"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b"}, {"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/pull/2941"}, {"source": "security-advisories@github.com", "url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/commit/11b6573ad62cfdd783a8bb52f3fce461466037f4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/commit/5c381cfbf3e4b7ce040ed8511a1fae1a78a0014b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/pull/2941"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/stacklok/minder/security/advisories/GHSA-ggp5-28x4-xcj9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}