Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qdjNmLTdtMzMtcXA2Nc4AAze1
Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited
Impact
Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename.
Reported-By
Thanks to the report from Mio Li [email protected]
Patches
commit 17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
Author: Daniel Valdivia <[email protected]>
Date: Tue May 23 08:47:12 2023 -0700
Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
Signed-off-by: Daniel Valdivia <[email protected]>
Workarounds
Workarounds are to remove the concerned file and rewrite it properly with the right file and extensions. Avoid using RTLO characters in your filenames.
Permalink: https://github.com/advisories/GHSA-jv3f-7m33-qp65JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qdjNmLTdtMzMtcXA2Nc4AAze1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 17 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-jv3f-7m33-qp65, CVE-2023-33955
References:
- https://github.com/minio/console/security/advisories/GHSA-jv3f-7m33-qp65
- https://github.com/minio/console/commit/17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
- https://nvd.nist.gov/vuln/detail/CVE-2023-33955
- https://github.com/minio/console/releases/tag/v0.28.0
- https://github.com/advisories/GHSA-jv3f-7m33-qp65
Affected Packages
go:github.com/minio/console
Versions: < 0.28.0Fixed in: 0.28.0