Bug 2357275 (CVE-2025-31489)
| Summary: | CVE-2025-31489 minio: MinIO performs incomplete signature validation for unsigned-trailer uploads | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bdettelb, caswilli, doconnor, jforrest, jkoehler, kaycoth, lphiri, mwringe, teagle |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Minio package. The signature component of the authorization may be invalid, which would mean that, as a client, you can use any arbitrary secret to upload objects, given the user already has prior WRITE permissions on the bucket. Prior knowledge of the access key and bucket name this user might have access to is necessary, and an access key with WRITE permissions is necessary. However, with relevant information in place, uploading random objects to buckets is trivial and easy via curl.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2357458, 2357459, 2357456, 2357457 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-04-03 20:01:16 UTC
|