Описание
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access
to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.
A flaw was found in the Minio package. The signature component of the authorization may be invalid, which would mean that, as a client, you can use any arbitrary secret to upload objects, given the user already has prior WRITE permissions on the bucket. Prior knowledge of the access key and bucket name this user might have access to is necessary, and an access key with WRITE permissions is necessary. However, with relevant information in place, uploading random objects to buckets is trivial and easy via curl.
Меры по смягчению последствий
To mitigate this issue, reject requests with x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER for now at the LB layer. Ask application users to use STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Network Observability Operator | network-observability/network-observability-operator-bundle | Not affected | ||
| Network Observability Operator | network-observability/network-observability-rhel9-operator | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-ml-pipelines-api-server-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-ml-pipelines-artifact-manager-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-ml-pipelines-cache-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-ml-pipelines-persistenceagent-container | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | odh-ml-pipelines-scheduledworkflow-container | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-gateway-opa-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-gateway-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-jaeger-query-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.
MinIO is a High Performance Object Storage released under GNU Affero G ...
MinIO performs incomplete signature validation for unsigned-trailer uploads
7.5 High
CVSS3