Headline
CVE-2023-28433: fix: convert '\' to '/' on windows (#16852) · minio/minio@8d6558b
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.
@@ -22,6 +22,7 @@ import (
“net”
“net/http”
“path”
“path/filepath”
“runtime/debug”
“strings”
“sync/atomic”
@@ -349,7 +350,7 @@ func hasBadHost(host string) error {
// Check if the incoming path has bad path components,
// such as “…” and “.”
func hasBadPathComponent(path string) bool {
path = strings.TrimSpace(path)
path = filepath.ToSlash(strings.TrimSpace(path)) // For windows ‘\’ must be converted to ‘/’
for _, p := range strings.Split(path, SlashSeparator) {
switch strings.TrimSpace§ {
case dotdotComponent:
Related news
### Impact All users on Windows are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. ### Patches There are two patches that fix this problem comprehensively ``` commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc Author: Harshavardhana <[email protected]> Date: Mon Mar 20 13:16:00 2023 -0700 reject object names with '\' on windows (#16856) ``` ``` commit 8d6558b23649f613414c8527b58973fbdfa4d1b8 Author: Harshavardhana <[email protected]> Date: Mon Mar 20 00:35:25 2023 -0700 fix: convert '\' to '/' on windows (#16852) ``` ### Workarounds There are no known workarounds ### References The vulnerable code: ```go // minio/cmd/generic-handlers.go // Check if the incoming path has bad path components, // such as ".." and "." // SlashSep...