Lucene search
K

24 matches found

CVE
CVE
added 6 days ago14 views

CVE-2026-55874

SeaweedFS's S3 API gateway is affected prior to version 4.34 by a path traversal issue in the X-Amz-Copy-Source header (dot-dot segments) that can enable an authenticated user scoped to one bucket to read objects from other buckets via server-side copy. The issue is documented across CVE-2026-558...

7.7CVSS6AI score0.00327EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53930

Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.34 Description A path traversal issue exists in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to one bucket can delete arbitrary objects in buckets belonging to other...

8.1CVSS6AI score0.00766EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/25 6:41 p.m.14 views

CVE-2026-54917

SeaweedFS is a distributed storage system for object storage S3, file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter.SkipCleantrue. With path cleaning disabled, a .. segment inside the URL survives...

7.8CVSS5.9AI score0.00345EPSS
Exploits1References3Affected Software1
SUSE CVE
SUSE CVE
added 2026/01/27 12:28 a.m.12 views

SUSE CVE-2025-68671

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...

6.5CVSS5.9AI score0.00239EPSS
Exploits1References2
CVE
CVE
added 2026/01/15 10:35 p.m.16 views

CVE-2025-68671

lakeFS - S3 gateway vulnerability: missing timestamp validation in authenticated requests allows replay attacks. Attackers can reuse valid signed requests until credentials rotate; impact is limited to replay of previously captured requests. Affected: lakeFS S3 gateway; root cause is lack of time...

6.5CVSS6.3AI score0.00239EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/15 10:35 p.m.5 views

CVE-2025-68671 lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...

6.5CVSS5.5AI score0.00239EPSS
Exploits1References3
EUVD
EUVD
added 2026/01/15 9:14 p.m.6 views

EUVD-2026-2725

lakeFS is Missing Timestamp Validation in S3 Gateway Authentication...

6.5CVSS6.4AI score0.00239EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/05/23 6:47 a.m.22 views

CVE-2024-45106

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

8.1CVSS6.9AI score0.00557EPSS
Exploits0References1
CNVD
CNVD
added 2024/12/06 12:0 a.m.7 views

Apache Ozone Authentication Error Vulnerability

Apache Ozone is an application of the US Apache Apache Foundation. A scalable, redundant and distributed object store for Hadoop and cloud-native environments. Apache Ozone version 1.4.0 suffers from an authentication error vulnerability that originates from an authentication error in an HTTP...

8.1CVSS7AI score0.00557EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2024/12/03 12:31 p.m.22 views

Apache Ozone: Improper authentication when generating S3 secrets

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

8.1CVSS7.2AI score0.00557EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/12/03 12:31 p.m.13 views

GHSA-RCQ8-9Q3J-98MW Apache Ozone: Improper authentication when generating S3 secrets

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

8.6CVSS8.2AI score0.00557EPSS
Exploits0References5
NVD
NVD
added 2024/12/03 10:15 a.m.58 views

CVE-2024-45106

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

8.1CVSS0.00557EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/12/03 9:6 a.m.22 views

CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

7AI score0.00557EPSS
Exploits0References1
CVE
CVE
added 2024/12/03 9:6 a.m.77 views

CVE-2024-45106

CVE-2024-45106 describes an authentication flaw in the S3 Gateway of Apache Ozone 1.4.0 , where an authenticated Kerberos user can revoke and regenerate another user’s S3 secrets if: ozone.s3g.secret.http.enabled is true (default is false) the Kerberos principal is listed in ozone.s3.administrato...

8.1CVSS6.6AI score0.00557EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2024/12/03 9:6 a.m.5 views

CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...

8.1CVSS5.9AI score0.00557EPSS
Exploits0References5
Veracode
Veracode
added 2024/10/01 6:30 a.m.5 views

Improper Access Control

S3 Gateway is vulnerable to Improper Access Control. The vulnerability is due to inadequate authorization checks, allowing authenticated users to send requests to the delete-objects API and delete files they are not authorized to access...

6.9AI score
Exploits0
Virtuozzo
Virtuozzo
added 2024/07/17 12:0 a.m.40 views

Virtuozzo Hybrid Infrastructure 6.0 Update 1 Hotfix 9 (6.0.1-102)

This update provides security and stability fixes. Vulnerability id: VSTOR-75009, VSTOR-76816 Stability fixes for the hypervisor. Vulnerability id: VSTOR-86808 Fixed an issue with delayed file creation on NFS. Vulnerability id: VSTOR-88495 Fixed a high availability issue with incorrect paths of N...

7.8CVSS7.8AI score0.27935EPSS
Exploits1
Virtuozzo
Virtuozzo
added 2023/02/14 12:0 a.m.33 views

Virtuozzo Hybrid Infrastructure 5.4 (5.4.0-133)

In this release, Virtuozzo Hybrid Infrastructure provides a range of new features that cover compute services, management node high availability, monitoring and alerts, and the user interface. Additionally, this release delivers stability improvements and addresses issues found in previous...

0.8AI score
Exploits0
OSV
OSV
added 2022/09/23 3:13 p.m.15 views

GHSA-28Q9-9C3G-V3F9 lakeFS vulnerable to authenticated users deleting files they are not authorized to delete

Impact Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches lakeFS v0.82.0 and later Workarounds Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts wi...

7AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/09/23 3:13 p.m.24 views

lakeFS vulnerable to authenticated users deleting files they are not authorized to delete

Impact Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches lakeFS v0.82.0 and later Workarounds Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts wi...

2.5AI score
Exploits0References3Affected Software1
Rows per page
Query Builder