All posts

Security Advisory

Synopsis: Unauthorized bucket access possibilities against the IAM implementation of MinIO server was discovered and has been fixed in RELEASE.2019–06–15T23–07–18Z.

Severity: High

Who is affected: All users of IAM feature of MinIO server and gateway are affected. It is highly recommended to upgrade.

Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2019–06–15T23–07–18Z ( No other action is required.

Description: An IAM user is granted access to more buckets than allowed by the IAM policy.

An IAM user has access to all the buckets whose name has a prefix equal to the buckets listed in the IAM policy. The allowed actions will still be dictated by the IAM policy.

This is due to an issue of prefix-based Matcher() function which was incorrectly matching prefix based on resource prefixes instead of an exact match.

For e.g, a user with the following IAM policy:

will be able to list objects (s3:ListBucket) on buckets jack, jackson, jackie etc.

The issue was reported by a community user Aaron Dummer and a patch has been submitted to fix this issue. The patch has been reviewed and accepted, and a new release has been made.

At the time of writing, this exploit has not been observed in the wild.