CVE-2024-36107: MinIO information disclosure vulnerability
If-Modified-Since If-Unmodified-Since
Headers when used with anonymous requests by sending a random object name requests you can figure out if the object exists or not on the server on a specific bucket and also gain access to some amount of information such as
Last-Modified (of the latest version)
Etag (of the latest version)
x-amz-version-id (of the latest version)
Expires (metadata value of the latest version)
Cache-Control (metadata value of the latest version)
This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object.
References
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since
- github.com/advisories/GHSA-95fr-cm4m-q5p9
- github.com/minio/minio
- github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272
- github.com/minio/minio/pull/19810
- github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9
- nvd.nist.gov/vuln/detail/CVE-2024-36107
Detect and mitigate CVE-2024-36107 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →