Security Advisory

Synopsis: Possibility of authentication bypass against the Minio server Storage API was discovered and has been fixed in RELEASE.2019–02–12T21–58–47Z

Severity: Critical

Who is affected: The concerned issue is present in all the Minio releases after October 4th 2018. All users of distributed erasure backend are affected. Users of FS and Gateway backend are not affected. However, it is still recommended for everyone to upgrade.

Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2019–02–12T21–58–47Z (download).

Description: A user can craft custom Storage API requests (part of Minio’s inter-node protocol) to bypass the authentication layer to access the underlying data.

The issue was discovered through an internal security audit. A successful exploit can be used to steal or corrupt your data. At the time of writing, this exploit has not been observed in the wild.