Security Advisory
Synopsis: Unauthorized bucket access possibilities against the IAM implementation of MinIO server was discovered and has been fixed in RELEASE.2019–06–15T23–07–18Z.
Severity: High
Who is affected: All users of IAM feature of MinIO server and gateway are affected. It is highly recommended to upgrade.
Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2019–06–15T23–07–18Z (https://dl.minio.io/server/minio/release/linux-amd64/minio). No other action is required.
Description: An IAM user is granted access to more buckets than allowed by the IAM policy.
An IAM user has access to all the buckets whose name has a prefix equal to the buckets listed in the IAM policy. The allowed actions will still be dictated by the IAM policy.
This is due to an issue of prefix-based Matcher() function which was incorrectly matching prefix based on resource prefixes instead of an exact match.
For e.g, a user with the following IAM policy:
will be able to list objects (s3:ListBucket) on buckets jack, jackson, jackie etc.
The issue was reported by a community user Aaron Dummer and a patch has been submitted to fix this issue. The patch has been reviewed and accepted, and a new release has been made.
At the time of writing, this exploit has not been observed in the wild.