ghsa-2pxw-r47w-4p8c
Vulnerability from github
Published
2023-09-05 15:45
Modified
2025-10-22 19:20
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H
Summary
Privilege Escalation on Linux/MacOS
Details

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

``` commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy donatello@users.noreply.github.com Date: Sun Mar 19 21:15:20 2023 -0700

fix: post policy request security bypass (#16849)

```

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code: go // minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) { if ok { tc.FuncName = "handler.ValidRequest" tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // ...

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-202303200415"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-05T15:45:10Z",
    "nvd_published_at": "2023-03-22T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.\n\n### Patches\n```\ncommit 67f4ba154a27a1b06e48bfabda38355a010dfca5\nAuthor: Aditya Manthramurthy \u003cdonatello@users.noreply.github.com\u003e\nDate:   Sun Mar 19 21:15:20 2023 -0700\n\n    fix: post policy request security bypass (#16849)\n```\n\n### Workarounds\nBrowser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround.\n\n### References\nThe vulnerable code:\n```go\n// minio/cmd/generic-handlers.go\nfunc setRequestValidityHandler(h http.Handler) http.Handler {\n  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n    // ...\n    // For all other requests reject access to reserved buckets\n    bucketName, _ := request2BucketObjectName(r)\n    if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {\n      if !guessIsRPCReq(r) \u0026\u0026 !guessIsBrowserReq(r) \u0026\u0026 !guessIsHealthCheckReq(r) \u0026\u0026 !guessIsMetricsReq(r) \u0026\u0026 !isAdminReq(r) \u0026\u0026 !isKMSReq(r) {\n        if ok {\n          tc.FuncName = \"handler.ValidRequest\"\n          tc.ResponseRecorder.LogErrBody = true\n        }\n        writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)\n        return\n      }\n    }\n    // ...\n```",
  "id": "GHSA-2pxw-r47w-4p8c",
  "modified": "2025-10-22T19:20:02Z",
  "published": "2023-09-05T15:45:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/16849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privilege Escalation on Linux/MacOS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.