CVE-2022-31028: MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients. There seems to be exploit code available: https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 Needs bump to RELEASE.2022-06-02T02-11-04Z.
*** Bug 830137 has been marked as a duplicate of this bug. ***
CVE-2021-43858 (https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf): MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. CVE-2022-35919 (https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg): MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.
CVE-2023-25812 (https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63): Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-28432 (https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q): Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. CVE-2023-28433 (https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6): Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. CVE-2023-28434 (https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c): Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4069216181bf2790e2903b7b64a2cf538abb9478 commit 4069216181bf2790e2903b7b64a2cf538abb9478 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-03-23 02:18:44 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-03-23 02:19:13 +0000 profiles: last rite net-fs/minio Bug: https://bugs.gentoo.org/782037 Bug: https://bugs.gentoo.org/850547 Signed-off-by: John Helmert III <ajak@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=054b9ce7b4047e76b55e86a9396d1405367b475d commit 054b9ce7b4047e76b55e86a9396d1405367b475d Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-04-23 14:04:30 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-04-23 14:04:30 +0000 net-fs/minio: treeclean Closes: https://bugs.gentoo.org/782037 Bug: https://bugs.gentoo.org/850547 Signed-off-by: David Seifert <soap@gentoo.org> net-fs/minio/Manifest | 2 - net-fs/minio/files/minio.default | 4 -- net-fs/minio/files/minio.initd | 11 ----- net-fs/minio/files/minio.service | 30 ------------ net-fs/minio/metadata.xml | 8 ---- net-fs/minio/minio-2021.04.18.19.26.29-r2.ebuild | 61 ------------------------ profiles/package.mask | 5 -- 7 files changed, 121 deletions(-)
