FreshPorts - VuXML

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

< 2021.03.17.02.33.02

MinIO reports:

A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.

< 2022.04.12.06.55.35

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

< 2021.12.27.07.23.18

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

• svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'
• sts accounts have always been using right permissions, do not need an explicit lookup
• regular users always have proper policy mapping

< 2021.10.23.03.28.24