Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycHh3LXI0N3ctNHA4Y84AA1sg
Privilege Escalation on Linux/MacOS
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.
Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
Workarounds
Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.
References
The vulnerable code:
// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// ...
// For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r)
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
if ok {
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
}
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
return
}
}
// ...
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycHh3LXI0N3ctNHA4Y84AA1sg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2pxw-r47w-4p8c, CVE-2023-28434
References:
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-28434
- https://github.com/minio/minio/pull/16849
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
- https://github.com/advisories/GHSA-2pxw-r47w-4p8c
Blast Radius: 19.4
Affected Packages
go:github.com/minio/minio
Dependent packages: 260Dependent repositories: 161
Downloads:
Affected Version Ranges: < 0.0.0-202303200415
Fixed in: 0.0.0-202303200415
All affected versions:
All unaffected versions: