Security Advisory

Synopsis: Possibility of spoofing authentication as another user on the Minio server S3 and Admin API was discovered and has been fixed in RELEASE.2019–02–20T22–44–29Z

Severity: Medium

Who is affected: All users using multi-user feature are affected. However, it is still recommended for everyone to upgrade.

Recommended Action for Users: All users are advised to upgrade their Minio deployments to the latest version. This issue is fixed in version RELEASE.2019–02–20T22–44–29Z (download).

Description: A user can craft custom S3 API requests and access Minio as another user in the system.

The issue was discovered through an internal security audit. At the time of writing, this exploit has not been observed in the wild.