GHSA-28q9-9c3g-v3f9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-28q9-9c3g-v3f9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-28q9-9c3g-v3f9/GHSA-28q9-9c3g-v3f9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-28q9-9c3g-v3f9
- Aliases
- Published
- 2022-09-23T15:13:14Z
- Modified
- 2024-08-21T16:28:58.664990Z
- Summary
- lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
- Details
-
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel Email us at security@treeverse.io
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-281", "CWE-284" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-23T15:13:14Z" }- References
Affected packages
Go / github.com/treeverse/lakefs
Package
- Name
- github.com/treeverse/lakefs
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/treeverse/lakefs