FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
a4ff3673-d742-4b83-8c2b-3ddafe732034	minio -- User privilege escalation minio developers report: AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field This API is mainly used to create a user or update a user's password. However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges. Discovery 2021-12-27 Entry 2021-12-29 minio < 2021.12.27.07.23.18 CVE-2021-43858 https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
f4b15f7d-d33a-4cd0-a97b-709d6af0e43e	minio -- policy restriction issue minio developers report: Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts. svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true' sts accounts have always been using right permissions, do not need an explicit lookup regular users always have proper policy mapping Discovery 2021-10-12 Entry 2021-10-23 minio < 2021.10.23.03.28.24 CVE-2021-41137 https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
b073677f-253a-41f9-bf2b-2d16072a25f6	minio -- MITM attack minio developer report: This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. Discovery 2021-03-17 Entry 2021-03-17 minio < 2021.03.17.02.33.02 https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp

VuXML ID

Description

a4ff3673-d742-4b83-8c2b-3ddafe732034

minio -- User privilege escalation

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

Discovery 2021-12-27
Entry 2021-12-29
minio

< 2021.12.27.07.23.18

CVE-2021-43858
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx

f4b15f7d-d33a-4cd0-a97b-709d6af0e43e

minio -- policy restriction issue

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'

sts accounts have always been using right permissions, do not need an explicit lookup

regular users always have proper policy mapping

Discovery 2021-10-12
Entry 2021-10-23
minio

< 2021.10.23.03.28.24

CVE-2021-41137
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c

b073677f-253a-41f9-bf2b-2d16072a25f6

minio -- MITM attack

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

Discovery 2021-03-17
Entry 2021-03-17
minio

< 2021.03.17.02.33.02

https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp