Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yOHE5LTljM2ctdjNmOc4AAvAW
lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel
Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOHE5LTljM2ctdjNmOc4AAvAW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-28q9-9c3g-v3f9
References:
- https://github.com/treeverse/lakeFS/security/advisories/GHSA-28q9-9c3g-v3f9
- https://github.com/treeverse/lakeFS/commit/81182bf9c0cf57f3cec3c893cf739b2069305e37
- https://github.com/advisories/GHSA-28q9-9c3g-v3f9
Blast Radius: 0.0
Affected Packages
go:github.com/treeverse/lakefs
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.82.0
Fixed in: 0.82.0
All affected versions: 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.30.0, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.32.1, 0.33.0, 0.33.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.41.1, 0.42.0, 0.43.0, 0.44.0, 0.44.1, 0.45.0, 0.45.1, 0.46.0, 0.47.0, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.53.1, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.58.0, 0.58.1, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.69.1, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.70.5, 0.70.6, 0.80.0, 0.80.1, 0.80.2
All unaffected versions: 0.82.0, 0.83.0, 0.83.2, 0.83.3, 0.83.4, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.87.1, 0.88.0, 0.89.0, 0.90.0, 0.90.1, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.95.0, 0.96.0, 0.96.1, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.97.4, 0.97.5, 0.97.6, 0.97.66, 0.97.999, 0.98.0, 0.99.0, 0.99.1, 0.100.0, 0.101.0, 0.101.1, 0.102.0, 0.102.1, 0.102.2, 0.103.0, 0.104.0, 0.105.0, 0.106.0, 0.106.1, 0.106.2, 0.107.0, 0.107.1, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.111.1, 0.112.0, 0.112.1, 0.113.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0