Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2pxw-r47w-4p8c

Опубликовано: 05 сент. 2023
Источник: github
Github: Прошло ревью
CVSS3: 8.8

Описание

Privilege Escalation on Linux/MacOS

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy <donatello@users.noreply.github.com> Date: Sun Mar 19 21:15:20 2023 -0700 fix: post policy request security bypass (#16849)

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code:

// minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) { if ok { tc.FuncName = "handler.ValidRequest" tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // ...

Ссылки

Пакеты

Наименование

github.com/minio/minio

go
Затронутые версииВерсия исправления

< 0.0.0-202303200415

0.0.0-202303200415

EPSS

Процентиль: 98%
0.46005
Средний

8.8 High

CVSS3

CVE ID

CVE-2023-28434

Дефекты

CWE-269

Связанные уязвимости

nvd логотип

CVE-2023-28434

CVSS3: 8.8
nvd
почти 3 года назад

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

debian логотип

CVE-2023-28434

CVSS3: 8.8
debian
почти 3 года назад

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023 ...

fstec логотип

BDU:2023-05199

CVSS3: 8.8
fstec
почти 3 года назад

Уязвимость компонента PostPolicyBucket сервера хранения объектов MinIO, позволяющая нарушителю выполнить произвольный код

redos логотип

ROS-20240807-05

CVSS3: 8.8
redos
больше 1 года назад

Множественные уязвимости minio

EPSS

Процентиль: 98%
0.46005
Средний

8.8 High

CVSS3

CVE ID

CVE-2023-28434

Дефекты

CWE-269