Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-2pxw-r47w-4p8c

Privilege Escalation on Linux/MacOS
Back to all
CVE

GHSA-2pxw-r47w-4p8c

Privilege Escalation on Linux/MacOS

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

commit 67f4ba154a27a1b06e48bfabda38355a010dfca5
Author: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date:   Sun Mar 19 21:15:20 2023 -0700
    fix: post policy request security bypass (#16849)

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code:

// minio/cmd/generic-handlers.go
func setRequestValidityHandler(h http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    // ...
    // For all other requests reject access to reserved buckets
    bucketName, _ := request2BucketObjectName(r)
    if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {
      if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) {
        if ok {
          tc.FuncName = "handler.ValidRequest"
          tc.ResponseRecorder.LogErrBody = true
        }
        writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)
        return
      }
    }
    // ...

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H
C
H
U
8.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c, https://nvd.nist.gov/vuln/detail/CVE-2023-28434, https://github.com/minio/minio/pull/16849, https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5, https://github.com/minio/minio, https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434

Severity

8.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.8
EPSS Probability
0.46005%
EPSS Percentile
0.97521%
Introduced Version
0,v0.0.0-20160818232342-bccf549463fd,v0.0.0-20160309014450-d5057b3c51c5
Fix Available
0.0.0-202303200415,v0.0.0-20230320041520-67f4ba154a27

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading