DIVD-2023-00037 - Security Feature Bypass in MinIO
| Our reference | DIVD-2023-00037 |
| Case lead | Alwin Warringa |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade by installing the issued patch as soon as possible or apply the mentioned workaround. |
| Patch status | patches available |
| Workaround | Enable Browser API Access and disable 'MINIO_BROWSER' |
| Status | Closed |
| Last modified | 25 Apr 2024 18:52 CEST |
Summary
Prior to MinIO version RELEASE.2023-03-020T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.
Recommendations
Install the patched version of RELEASE.2023-03-20T20-16-18Z or apply the workaround by enabling browser API access and turning off MINIO_BROWSER.
What we are doing
DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps.
Timeline
| Date | Description |
|---|---|
| 26 Sep 2023 | DIVD starts scanning for this vulnerability. |
| 26 Sep 2023 | First version of this casefile. |
| 30 Nov 2023 | Case closed because finding a good fingerprint method failed |
gantt
title DIVD-2023-00037 - Security Feature Bypass in MinIO
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00037 - Security Feature Bypass in MinIO (65 days) :2023-09-26, 2023-11-30
section Events
DIVD starts scanning for this vulnerability. : milestone, 2023-09-26, 0d
First version of this casefile. : milestone, 2023-09-26, 0d
Case closed because finding a good fingerprint method failed : milestone, 2023-11-30, 0d