New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: user privilege escalation bug #13976
Conversation
|
Depends on minio/madmin-go#56 |
f02a48a
to
f7b6a15
Compare
f7b6a15
to
4802c28
Compare
The user create API endpoint was accepting a policy field. This API is used to update a user's secret key and account status, and allows a regular user to update their own secret key. The policy update is also applied though does not appear to be used by any existing client side functionality. This fix changes the accepted request body type and removes the ability to apply policy changes as that is possible via the policy set API.
4802c28
to
14a76e8
Compare
Mint Automation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
The workaround may sound obvious for a seasoned MinIO developer but as an occasional user it is not exactly clear, even after looking at the documentation for a while. Do I understand it correctly that the policy action key {
"Action": [
"admin:CreateUser"
],
"Effect:" "Deny",
"Resource": [
"arn:aws:s3:::*"
]
} |
|
@bluikko you should upgrade and not worry about workarounds. Its been almost 2 weeks since its published GHSA-j6jc-jqqc-p6cx I would consider it a waste of time while the release is available with a fix. |
Agreed, but it is not a simple matter to get this updated so I have a choice of deploying a workaround, doing nothing, or updating in a few months. |
|
@bluikko We offer backports of critical fixes like this as part of our subscription offer. If you have critical production environments you should consider that. |
Description
The user create API endpoint was accepting a policy field. This API is used to
update a user's secret key and account status, and allows a regular user to
update their own secret key. The policy update is also applied though does not
appear to be used by any existing client side functionality.
This fix changes the accepted request body type and removes the ability to apply
policy changes as that is possible via the policy set API.
Motivation and Context
Found while reviewing code working on something else.
How to test this PR?
Tests included.
Types of changes
Checklist:
commit-idorPR #here)