CVE-2024-36107(Vulnerability)
htekir opened this issue · 1 comments
Minio 6.0.2 version reported as having a security vulnerability CVE-2024-36107 (NVD)
Vulnerability Detail :
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. If-Modified-Since
and If-Unmodified-Since
headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as Last-Modified (of the latest version)
, Etag (of the latest version)
, x-amz-version-id (of the latest version)
, Expires (metadata value of the latest version)
, Cache-Control (metadata value of the latest version)
. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit e0fe7cc3917
. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.
@htekir What is the point of adding this to an unrelated repo?
This is the report on the appropriate repo: GHSA-95fr-cm4m-q5p9