CVE-2023-33955

Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited in go/github.com/minio/console

Identifiers

CVE-2023-33955, GHSA-jv3f-7m33-qp65

Package Slug

go/github.com/minio/console

Vulnerability

Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited

Description

Impact

Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename.

Reported-By

Thanks to the report from Mio Li wulilixi1@gmail.com

Patches

``` commit 17e791afb90c9ad27c65f63c6be14f2f6a3a9d60 Author: Daniel Valdivia 18384552+dvaldivia@users.noreply.github.com Date: Tue May 23 08:47:12 2023 -0700

Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)

Signed-off-by: Daniel Valdivia 18384552+dvaldivia@users.noreply.github.com ```

Workarounds

Workarounds are to remove the concerned file and rewrite it properly with the right file and extensions. Avoid using RTLO characters in your filenames.

Affected Versions

All versions before 0.28.0

Solution

Upgrade to version 0.28.0 or above.

Last Modified

2023-05-29

source