Synopsis: A signature verification bypass vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-03-17T02-33-02Z.
Who is affected: All users of the MinIO server version before RELEASE.2021-03-17T02-33-02Z affected. Users access MinIO over TLS are not affected.
Description: An MitM attacker can modify the chunk size of S3 streaming signature V4 encoded object data. This can be abused to modify uploaded content when the connection is not encrypted with TLS.
Thanks to @jcsp from our community who discovered and reported this issue to our security team. A patch has been submitted that reads and verifies S3 streaming signature V4 chunks in an atomic way instead of a deferred signature check. For more information take a look at our Github Security Advisory. The patch has been reviewed and accepted, and a new release has been made.
A successful exploit can be used modify ongoing uploads without a valid access/secret key. At the time of writing, this exploit has not been observed in the wild.