15 matches found
EUVD-2015-5237
Malware in sbrugna...
MinIO performs incomplete signature validation for unsigned-trailer uploads
Impact This is a high priority vulnerability and users must upgrade ASAP. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket, Prior...
CVE-2025-31489
A flaw was found in the Minio package. The signature component of the authorization may be invalid, which would mean that, as a client, you can use any arbitrary secret to upload objects, given the user already has prior WRITE permissions on the bucket. Prior knowledge of the access key and bucke...
CVE-2025-31489
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on...
PT-2025-14797
Name of the Vulnerable Software and Affected Versions: MinIO versions prior to RELEASE.2025-04-03T14-56-28Z Description: The issue concerns an authorization flaw in MinIO, a high-performance object storage system. This flaw allows a client with prior WRITE permissions on a bucket to upload object...
CVE-2024-28823
Amazon AWS aws-js-s3-explorer aka AWS JavaScript S3 Explorer 1.0.0 allows XSS via a crafted S3 bucket name to index.html...
PT-2024-22591 · Amazon Aws · Aws-Js-S3-Explorer
Name of the Vulnerable Software and Affected Versions: Amazon AWS aws-js-s3-explorer aka AWS JavaScript S3 Explorer version 1.0.0 Description: The issue allows for XSS via a crafted S3 bucket name to index.html. This can be exploited when a user interacts with a maliciously named S3 bucket,...
rgw: improperly verified POST keys
A flaw was found in rgw. This flaw allows an unprivileged user to write to any buckets accessible by a given key if a POST's form-data contains a key called 'bucket' with a value matching the bucket's name used to sign the request. This issue results in a user being able to upload to any bucket...
B2 Command Line Tool TOCTOU application key disclosure
Impact Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use TOCTOU race condition. The command line tool saves API keys and bucket...
Invalid Character in Amazon S3 Bucket Name
Challenge When adding/editing an object storage repository and selecting or creating a folder in the Amazon S3 bucket, the following error occurs: Could not establish trust relationship for the SSL/TLS secure channel. Applicable to build 4.0.0.1553. Exception of type...
Ceph Object Gateway CRLF Vulnerability
Ceph Object Gateway is an object storage interface built on top of librados that enables applications to access Ceph Storage Clusters, a distributed storage system, through a RESTful gateway. A CRLF injection vulnerability exists in Ceph Object Gateway versions prior to 0.94.4, where a remote...
DEBIAN-CVE-2015-5245
CRLF injection vulnerability in the Ceph Object Gateway aka radosgw or RGW in Ceph before 0.94.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name...
UBUNTU-CVE-2015-5245
CRLF injection vulnerability in the Ceph Object Gateway aka radosgw or RGW in Ceph before 0.94.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted bucket name...
Ceph: RGW returns requested bucket name raw in Bucket response header
A feature in Ceph Object Gateway RGW allows to return a specific HTTP header that contains the name of a bucket that was accessed. It was found that the returned HTTP headers were not sanitized. An unauthenticated attacker could use this flaw to craft HTTP headers in responses that would confuse...
Ceph: RGW returns requested bucket name raw in Bucket response header
A feature in Ceph Object Gateway RGW allows to return a specific HTTP header that contains the name of a bucket that was accessed. It was found that the returned HTTP headers were not sanitized. An unauthenticated attacker could use this flaw to craft HTTP headers in responses that would confuse...