Skip to content

Improper Access Control in github.com/treeverse/lakefs/pkg/gateway/operations

High
nopcoder published GHSA-28q9-9c3g-v3f9 Sep 22, 2022

Package

github.com/treeverse/lakefs/pkg/gateway/operations (lakeFS)

Affected versions

<0.81.x

Patched versions

0.82.0

Description

Impact

Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.

Patches

lakeFS v0.82.0 and later

Workarounds

Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".

References

advisories/GHSA-28q9-9c3g-v3f9

For more information

If you have any questions or comments about this advisory:

Ask on the lakeFS Slack #help channel
Email us at security@treeverse.io

Severity

High

CVE ID

No known CVE

Weaknesses