Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycHh3LXI0N3ctNHA4Y84AA1sg
Privilege Escalation on Linux/MacOS
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket
. To carry out this attack, the attacker requires credentials with arn:aws:s3:::*
permission, as well as enabled Console API access.
Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <[email protected]>
Date: Sun Mar 19 21:15:20 2023 -0700
fix: post policy request security bypass (#16849)
Workarounds
Browser API access must be enabled turning off MINIO_BROWSER=off
allows for this workaround.
References
The vulnerable code:
// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// ...
// For all other requests reject access to reserved buckets
bucketName, _ := request2BucketObjectName(r)
if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
if ok {
tc.FuncName = "handler.ValidRequest"
tc.ResponseRecorder.LogErrBody = true
}
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
return
}
}
// ...
Permalink: https://github.com/advisories/GHSA-2pxw-r47w-4p8cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycHh3LXI0N3ctNHA4Y84AA1sg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2pxw-r47w-4p8c, CVE-2023-28434
References:
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-28434
- https://github.com/minio/minio/pull/16849
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
- https://github.com/advisories/GHSA-2pxw-r47w-4p8c
Blast Radius: 19.4
Affected Packages
go:github.com/minio/minio
Dependent packages: 260Dependent repositories: 161
Downloads:
Affected Version Ranges: < 0.0.0-202303200415
Fixed in: 0.0.0-202303200415
All affected versions:
All unaffected versions: