New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: post policy request security bypass #16849
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Due to inconstency between the check for routing post policy requests and for preventing access to reserved buckets, it is possible to bypass restrictions and write objects directly into system buckets allowing privilege escalation.
|
@donatello do you have a reproducer for this? |
Mint Automation
16849-cbd5828/mint-compress-encrypt-dist-erasure.sh.log:16849-cbd5828/mint-pools.sh.log:Deleting image on docker hub |
Yes. Will share privately. |
|
@donatello we need to add a test here so that this is always tested. |
harshavardhana
approved these changes
Mar 20, 2023
|
Taking this in, so that we can make a new release // cc @donatello |
harshavardhana
pushed a commit
to harshavardhana/minio
that referenced
this pull request
Mar 30, 2023
rluetzner
pushed a commit
to iternity-dotcom/minio
that referenced
this pull request
May 4, 2023
This fixes security vulnerability CVE-2023-28434 where users that had access to all resources (`arn:aws:s3:::*`) were able to put objects into any bucket, including .minio.sys, the MinIO metabucket. By crafting requests they would be able to escalate privileges. As a workaround `MINIO_BROWSER=off` can be turned off, i.e. the MinIO browser is enabled. This is fixed upstream, but in a version that no longer supports a file backend, which is why we backport it. More information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-28434 GHSA-2pxw-r47w-4p8c minio#16849 (cherry picked from commit 67f4ba1)
rluetzner
pushed a commit
to iternity-dotcom/minio
that referenced
this pull request
May 4, 2023
This fixes security vulnerability CVE-2023-28434 where users that had access to all resources (`arn:aws:s3:::*`) were able to put objects into any bucket, including .minio.sys, the MinIO metabucket. By crafting requests they would be able to escalate privileges. As a workaround `MINIO_BROWSER=off` can be turned off, i.e. the MinIO browser is enabled. This is fixed upstream, but in a version that no longer supports a file backend, which is why we backport it. More information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-28434 GHSA-2pxw-r47w-4p8c minio#16849 (cherry picked from commit 67f4ba1)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Description
Due to inconstency between the check for routing post policy requests and for preventing access to reserved buckets, it is possible to bypass restrictions and write objects directly into system buckets allowing privilege escalation.
Motivation and Context
How to test this PR?
Types of changes
Checklist:
commit-idorPR #here)