GoogleOSV:GHSA-W23Q-4HW3-2PP6Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation
Impact
All users on Windows are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across
buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.
Patches
There are two patches that fix this problem comprehensively
commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
Author: Harshavardhana <harsha@minio.io>
Date: Mon Mar 20 13:16:00 2023 -0700
reject object names with '\' on windows (#16856)
commit 8d6558b23649f613414c8527b58973fbdfa4d1b8
Author: Harshavardhana <harsha@minio.io>
Date: Mon Mar 20 00:35:25 2023 -0700
fix: convert '\' to '/' on windows (#16852)
Workarounds
There are no known workarounds
References
The vulnerable code:
// minio/cmd/generic-handlers.go
// Check if the incoming path has bad path components,
// such as ".." and "."
// SlashSeparator -> /
// dotdotComponent -> ..
// dotComponent -> .
func hasBadPathComponent(path string) bool {
path = strings.TrimSpace(path)
for _, p := range strings.Split(path, SlashSeparator) {
switch strings.TrimSpace(p) {
case dotdotComponent:
return true
case dotComponent:
return true
}
}
return false
}
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/minio/minio | lt | 0.0.0-202303200735 |
References
github.com/minio/minio
github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8
github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6
nvd.nist.gov/vuln/detail/CVE-2023-28433
Related
