GHSA-w23q-4hw3-2pp6

Опубликовано: 06 сент. 2023

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation

Impact

All users on Windows are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.

Patches

There are two patches that fix this problem comprehensively

commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc Author: Harshavardhana <harsha@minio.io> Date: Mon Mar 20 13:16:00 2023 -0700 reject object names with '\' on windows (#16856)

commit 8d6558b23649f613414c8527b58973fbdfa4d1b8 Author: Harshavardhana <harsha@minio.io> Date: Mon Mar 20 00:35:25 2023 -0700 fix: convert '\' to '/' on windows (#16852)

Workarounds

There are no known workarounds

References

The vulnerable code:

// minio/cmd/generic-handlers.go // Check if the incoming path has bad path components, // such as ".." and "." // SlashSeparator -> / // dotdotComponent -> .. // dotComponent -> . func hasBadPathComponent(path string) bool { path = strings.TrimSpace(path) for _, p := range strings.Split(path, SlashSeparator) { switch strings.TrimSpace(p) { case dotdotComponent: return true case dotComponent: return true } } return false }

Ссылки

Пакеты

Наименование

github.com/minio/minio

Затронутые версииВерсия исправления

< 0.0.0-202303200735

0.0.0-202303200735

EPSS

Процентиль: 52%

0.00296

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-28433

Дефекты

CWE-668

Связанные уязвимости

CVE-2023-28433

CVSS3: 8.8

nvd

больше 2 лет назад

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.

CVE-2023-28433

CVSS3: 8.8

debian

больше 2 лет назад

Minio is a Multi-Cloud Object Storage framework. All users on Windows ...

BDU:2023-07540

CVSS3: 8.8

fstec

больше 2 лет назад

Уязвимость сервера хранения объектов MinIO, связанная с недостатками контроля доступа, позволяющая нарушителю создать пользователя с правами администратора

ROS-20240807-05

CVSS3: 8.8

redos

11 месяцев назад

Множественные уязвимости minio

EPSS

Процентиль: 52%

0.00296

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-28433

Дефекты

CWE-668