Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13MjNxLTRodzMtMnBwNs4AA1vd
Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation
Impact
All users on Windows are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across
buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.
Patches
There are two patches that fix this problem comprehensively
commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
Author: Harshavardhana <[email protected]>
Date: Mon Mar 20 13:16:00 2023 -0700
reject object names with '\' on windows (#16856)
commit 8d6558b23649f613414c8527b58973fbdfa4d1b8
Author: Harshavardhana <[email protected]>
Date: Mon Mar 20 00:35:25 2023 -0700
fix: convert '\' to '/' on windows (#16852)
Workarounds
There are no known workarounds
References
The vulnerable code:
// minio/cmd/generic-handlers.go
// Check if the incoming path has bad path components,
// such as ".." and "."
// SlashSeparator -> /
// dotdotComponent -> ..
// dotComponent -> .
func hasBadPathComponent(path string) bool {
path = strings.TrimSpace(path)
for _, p := range strings.Split(path, SlashSeparator) {
switch strings.TrimSpace(p) {
case dotdotComponent:
return true
case dotComponent:
return true
}
}
return false
}
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13MjNxLTRodzMtMnBwNs4AA1vd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-w23q-4hw3-2pp6, CVE-2023-28433
References:
- https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6
- https://nvd.nist.gov/vuln/detail/CVE-2023-28433
- https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8
- https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
- https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
- https://github.com/advisories/GHSA-w23q-4hw3-2pp6
Blast Radius: 19.4
Affected Packages
go:github.com/minio/minio
Dependent packages: 260Dependent repositories: 161
Downloads:
Affected Version Ranges: < 0.0.0-202303200735
Fixed in: 0.0.0-202303200735
All affected versions:
All unaffected versions: