Advisories for Golang/Github.com/Treeverse/Lakefs package

Impact A bug in permissions validation allows a user with the ci:ReadAction permission to skip read checks when copying an object. If they additionally have read and write permission to path in the repository, they can copy an otherwise unreadable object and read it. In order to be affected and exploitable, the following conditions must ALL occur on the same user: ci:ReadAction enabled for the repository. Predefined policies RepoManagementRead and …

Impact A bug in permissions validation allows a user with the ci:ReadAction permission to skip read checks when copying an object. If they additionally have read and write permission to path in the repository, they can copy an otherwise unreadable object and read it. In order to be affected and exploitable, the following conditions must ALL occur on the same user: ci:ReadAction enabled for the repository. Predefined policies RepoManagementRead and …

Impact When lakeFS is configured with ALL of the following: Configuration option auth.encrypt.secret_key passed through environment variable Actions enabled via configuration option actions.enabled (default enabled) then a user who can configure an action can impersonate any other user. Patches Has the problem been patched? What versions should users upgrade to? Workarounds ANY ONE of these is sufficient to prevent the issue: Do not pass auth.encrypt.secret_key through an environment variable. For …

Impact S3 credentials are logged in plain text S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY appears as part of the log message: time="2023-05-12T13:51:52Z" level=error msg="failed to perform diff" func="pkg/plugins/diff.(*Service).RunDiff" file="build/pkg/plugins/diff/service.go:124" error="rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL" host="localhost:8000" method=GET operation_id=OtfDiff params="{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}" path="/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F&type=delta" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker Discovered when investigating #5862 Patches Has the problem been patched? What versions …

Impact The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations …

Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches: lakeFS v0.82.0 and later. Workaround: Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS". If you have any questions or comments about this advisory, ask on the lakeFS Slack #help channel or email us at security@treeverse.io.

Impact [medium] A user with write permissions to a portion of a repository may use the S3 gateway to copy any object in the repository if they know its name. [medium] A user with permission to write any one of tags, branches, or commits on a repository may write all of them. [low] A user with permission to read any one of tags, branches, or commits on a repository may …