Skip to content

Privilege escalation allowing DELETE on resources on object locked buckets under Governance mode

High
harshavardhana published GHSA-c8fc-mjj8-fc63 Feb 21, 2023

Package

gomod minio (Go)

Affected versions

>= RELEASE.2020-04-10T03-34-42Z

Patched versions

RELEASE.2023-02-17T17-52-43Z

Description

Impact

This issue impacts all users that fall under the following category. All buckets with object
locking under governance mode. Now on those buckets if you specifically added a Deny
statement on s3:ByPassGoverance. It shall not be honored correctly if you have an Allow
statement with all S3 actions s3:*.

For example:

{
    "Version": "2012-10-17",
    "Statement": [
      { "Effect": "Deny", "Action": ["s3:BypassGovernanceRetention"], "Resource": ["arn:aws:s3:::*"] },
      { "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws:s3:::*"] }
    ]
}

Ideally, we should return "Access Denied" to all users attempting to DELETE a versioned object
accompanied by a header X-Amz-Bypass-Governance-Retention: true to request a bypass
on the governance mode. In this scenario, the caller would succeed in deleting the content.

All users are advised to upgrade to RELEASE.2023-02-17T17-52-43Z to get the relevant fix and protection.

Additionally please review all your IAM policies for any such occurrences.

Patches

commit a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
Author: Anis Elleuch <vadmeste@users.noreply.github.com>
Date:   Fri Feb 17 03:23:34 2023 +0100

    fix: evaluate BypassGov policy action in deletion correctly (#16635)

References

Feel free to reach out to us if you have more questions

Severity

High

CVE ID

CVE-2023-25812

Weaknesses

No CWEs

Credits