Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check docs for fixed security vulnerability #1119

Open
2 tasks
djwfyi opened this issue Feb 5, 2024 · 4 comments
Open
2 tasks

Check docs for fixed security vulnerability #1119

djwfyi opened this issue Feb 5, 2024 · 4 comments
Assignees

Comments

@djwfyi
Copy link
Collaborator

djwfyi commented Feb 5, 2024

minio/minio#18928 fixes a security vulnerability that would allow for service accounts to use permission escalation.

Check docs for any changes that might need to be made:

@djwfyi
Copy link
Collaborator Author

djwfyi commented Feb 5, 2024

Security advisory notice: GHSA-xx8w-mq23-29g4

@djwfyi
Copy link
Collaborator Author

djwfyi commented Feb 5, 2024

Fix is in Server release RELEASE.2024-01-31T20-20-33Z

@ravindk89
Copy link
Collaborator

@donatello can you provide some color on the above?

Looking at https://github.com/minio/minio/pull/18928/files#diff-ef268fe29d8a37a689fc4720dcb9feb441bb3076def2ed405c717ab586d6baa2R790-R791 I can see we're looking for a specific policy.

We do have https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin-UpdateServiceAccount but that would be covered in admin:* permissions. So just checking for that wouldn't necessarily close this bug off, right?

Or did we add a new policy action UpdateServiceAccountAdminAction that exists outside of the s3:* and admin:* buckets? Which would imply this flag would now be required for root + all other users before you could modify service accounts?

Some detail would help here for us to document.

@ravindk89
Copy link
Collaborator

ping @donatello on the above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants