21 matches found
SUSE CVE-2025-68671
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...
CVE-2025-68671 lakeFS is Missing Timestamp Validation in S3 Gateway Authentication
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...
CVE-2025-68671
lakeFS - S3 gateway vulnerability: missing timestamp validation in authenticated requests allows replay attacks. Attackers can reuse valid signed requests until credentials rotate; impact is limited to replay of previously captured requests. Affected: lakeFS S3 gateway; root cause is lack of time...
EUVD-2026-2725
lakeFS is Missing Timestamp Validation in S3 Gateway Authentication...
CVE-2024-45106
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
Apache Ozone Authentication Error Vulnerability
Apache Ozone is an application of the US Apache Apache Foundation. A scalable, redundant and distributed object store for Hadoop and cloud-native environments. Apache Ozone version 1.4.0 suffers from an authentication error vulnerability that originates from an authentication error in an HTTP...
Apache Ozone: Improper authentication when generating S3 secrets
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
GHSA-RCQ8-9Q3J-98MW Apache Ozone: Improper authentication when generating S3 secrets
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
CVE-2024-45106
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
CVE-2024-45106
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
CVE-2024-45106
CVE-2024-45106 describes an authentication flaw in the S3 Gateway of Apache Ozone 1.4.0 , where an authenticated Kerberos user can revoke and regenerate another user’s S3 secrets if: ozone.s3g.secret.http.enabled is true (default is false) the Kerberos principal is listed in ozone.s3.administrato...
Improper Access Control
S3 Gateway is vulnerable to Improper Access Control. The vulnerability is due to inadequate authorization checks, allowing authenticated users to send requests to the delete-objects API and delete files they are not authorized to access...
Virtuozzo Hybrid Infrastructure 6.0 Update 1 Hotfix 9 (6.0.1-102)
This update provides security and stability fixes. Vulnerability id: VSTOR-75009, VSTOR-76816 Stability fixes for the hypervisor. Vulnerability id: VSTOR-86808 Fixed an issue with delayed file creation on NFS. Vulnerability id: VSTOR-88495 Fixed a high availability issue with incorrect paths of N...
Virtuozzo Hybrid Infrastructure 5.4 (5.4.0-133)
In this release, Virtuozzo Hybrid Infrastructure provides a range of new features that cover compute services, management node high availability, monitoring and alerts, and the user interface. Additionally, this release delivers stability improvements and addresses issues found in previous...
GHSA-28Q9-9C3G-V3F9 lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
Impact Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches lakeFS v0.82.0 and later Workarounds Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts wi...
lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
Impact Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches lakeFS v0.82.0 and later Workarounds Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts wi...
Improper Access Control
github.com/treeverse/lakefs is vulnerable to improper access control. The vulnerability exists because it does not perform sufficient user permission checks on repository actions, allowing an attacker to use the S3 gateway to copy object and read write actions on repository commits...
GHSA-M836-GXWQ-J2PM Improper Access Control in github.com/treeverse/lakefs
Impact 1. medium A user with write permissions to a portion of a repository may use the S3 gateway to copy any object in the repository if they know its name. 1. medium A user with permission to write any one of tags, branches, or commits on a repository may write all of them. 1. low A user with...
Virtuozzo Hybrid Infrastructure 4.7
In this release, Virtuozzo Hybrid Infrastructure provides a wide range of new features that enhance service providers' interoperability and help expand their services. The improvements cover compute services, object storage, core storage, monitoring, high availability for the management node,...