Minder Helm and Go Unintended URL Access Vulnerability

A vulnerability exists in Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions 0.0.72 to 0.0.83, allowing users to fetch content that may include restricted URLs. This could be problematic if the Minder server is behind a firewall or network partition. The issue arises because Minder does not sandbox HTTP requests in Rego programs, potentially exposing sensitive resources depending on the deployment configuration.

Impact

Exploitation of this vulnerability could lead to unauthorized access to URLs and resources that the user would typically be unable to reach, such as services behind a firewall or network partition.

Reproduction

This vulnerability can be reproduced by deploying Minder Helm or Go versions within the affected range and then using the HTTP send capability in a Rego program. This will fetch content from the Minder server context, potentially including sensitive URLs that are normally inaccessible.

Remediation

Users should upgrade to Minder Helm version 0.20250203.3849+ref.fdc94f0 or Minder Go version 0.0.84. Avoid deploying Minder with access to sensitive resources, especially systems like OpenFGA or Keycloak, depending on the deployment configuration.