GHSA-2pxw-r47w-4p8c

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pxw-r47w-4p8c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-2pxw-r47w-4p8c/GHSA-2pxw-r47w-4p8c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pxw-r47w-4p8c
Aliases
Related
Published
2023-09-05T15:45:10Z
Modified
2023-12-06T01:02:58.121125Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Privilege Escalation on Linux/MacOS
Details

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date:   Sun Mar 19 21:15:20 2023 -0700

    fix: post policy request security bypass (#16849)

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code:

// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    // ...
    // For all other requests reject access to reserved buckets
    bucketName, _ := request2BucketObjectName(r)
    if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
      if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
        if ok {
          tc.FuncName = "handler.ValidRequest"
          tc.ResponseRecorder.LogErrBody = true
        }
        writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
        return
      }
    }
    // ...
Database specific 
{
    "nvd_published_at": "2023-03-22T21:15:00Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-05T15:45:10Z"
}
References

Affected packages

Go / github.com/minio/minio

Package

Name
github.com/minio/minio
View open source insights on deps.dev
Purl
pkg:golang/github.com/minio/minio

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-202303200415