GHSA-2pxw-r47w-4p8c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2pxw-r47w-4p8c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-2pxw-r47w-4p8c/GHSA-2pxw-r47w-4p8c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2pxw-r47w-4p8c
- Aliases
- Downstream
- Related
- Published
- 2023-09-05T15:45:10Z
- Modified
- 2025-10-22T19:20:02Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H CVSS Calculator
- Summary
- Privilege Escalation on Linux/MacOS
- Details
-
Impact
An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing
PostPolicyBucket. To carry out this attack, the attacker requires credentials witharn:aws:s3:::*permission, as well as enabled Console API access.Patches
commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy <donatello@users.noreply.github.com> Date: Sun Mar 19 21:15:20 2023 -0700 fix: post policy request security bypass (#16849)Workarounds
Browser API access must be enabled turning off
MINIO_BROWSER=offallows for this workaround.References
The vulnerable code:
// minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) { if ok { tc.FuncName = "handler.ValidRequest" tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // ... - Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-269" ], "github_reviewed_at": "2023-09-05T15:45:10Z", "nvd_published_at": "2023-03-22T21:15:00Z", "github_reviewed": true }- References
-
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-28434
- https://github.com/minio/minio/pull/16849
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
- https://github.com/minio/minio
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434
Affected packages
Go / github.com/minio/minio
Package
- Name
- github.com/minio/minio
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/minio/minio