CVE-2025-68671 lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...

lakeFS security vulnerability

LakeFS is an open-source tool developed by Treeverse. It allows you to convert your object storage into a repository similar to Git. Versions of LakeFS prior to 1.75.0 contained security vulnerabilities. These vulnerabilities stemmed from the S3 gateway not verifying the timestamps in authenticat...

rgw: improperly verified POST keys

A flaw was found in rgw. This flaw allows an unprivileged user to write to any buckets accessible by a given key if a POST's form-data contains a key called 'bucket' with a value matching the bucket's name used to sign the request. This issue results in a user being able to upload to any bucket...

SUSE CVE-2022-3854

A flaw was found in Ceph, relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW, causing a denial of service...

ceph: RGW permits bucket listing when authenticated_users=read

A flaw was found in Ceph RGW code which allows an anonymous user to list contents of RGW bucket by bypassing ACL which should only allow authenticated users to list contents of bucket...