GMS-2022-4497: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete

September 23, 2022 (updated January 8, 2023)

Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete. Patches: lakeFS v0.82.0 and later. Workaround: Drop specific request to the lakeFS listen port. Any request with “Authorization” header and value that starts with “AWS”. If you have any questions or comments about this advisory, ask on the lakeFS Slack #help channel or email us at security@treeverse.io.

References

github.com/advisories/GHSA-28q9-9c3g-v3f9
github.com/treeverse/lakeFS/commit/81182bf9c0cf57f3cec3c893cf739b2069305e37
github.com/treeverse/lakeFS/security/advisories/GHSA-28q9-9c3g-v3f9

Detect and mitigate GMS-2022-4497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →