FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
b073677f-253a-41f9-bf2b-2d16072a25f6minio -- MITM attack

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.


Discovery 2021-03-17
Entry 2021-03-17
minio
< 2021.03.17.02.33.02

https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp
8ec7d426-055d-46bc-8f5a-a9d73a5a71abminio -- Server Side Request Forgery

Minio developers report:

Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.

All users are advised to upgrade ASAP.

The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.


Discovery 2021-01-29
Entry 2021-01-31
minio
< 2021.01.30.00.20.58

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
f4b15f7d-d33a-4cd0-a97b-709d6af0e43eminio -- policy restriction issue

minio developers report:

Looks like policy restriction was not working properly for normal users when they are not svc or STS accounts.

  • svc accounts are now properly fixed to get right permissions when its inherited, so we do not have to set 'owner = true'
  • sts accounts have always been using right permissions, do not need an explicit lookup
  • regular users always have proper policy mapping

Discovery 2021-10-12
Entry 2021-10-23
minio
< 2021.10.23.03.28.24

CVE-2021-41137
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
a4ff3673-d742-4b83-8c2b-3ddafe732034minio -- User privilege escalation

minio developers report:

AddUser() API endpoint was exposed to a legacy behavior. i.e it accepts a "policy" field

This API is mainly used to create a user or update a user's password.

However, a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.


Discovery 2021-12-27
Entry 2021-12-29
minio
< 2021.12.27.07.23.18

CVE-2021-43858
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx