Anonymous Requests Can Bypass Metadata Validation in MinIO
CVE-2024-36107

5.3MEDIUM

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 28 May 2024

What is CVE-2024-36107?

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. If-Modified-Since and If-Unmodified-Since headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as Last-Modified (of the latest version), Etag (of the latest version), x-amz-version-id (of the latest version), Expires (metadata value of the latest version), Cache-Control (metadata value of the latest version). This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit e0fe7cc3917. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.

Affected Version(s)

minio < RELEASE.2024-05-27T19-17-46Z

References

https://github.com/minio/minio/security/advisories/GHSA-9...

x_refsource_CONFIRM

https://github.com/minio/minio/pull/19810

x_refsource_MISC

https://github.com/minio/minio/commit/e0fe7cc391724fc5baa...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2024
Vulnerability Reserved
May 20, 2024

Minio

What is CVE-2024-36107?

Affected Version(s)

References

CVSS V3.1

Timeline