Headline
GHSA-28q9-9c3g-v3f9: lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with “Authorization” header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel Email us at [email protected]
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-28q9-9c3g-v3f9
lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
High severity GitHub Reviewed Published Sep 23, 2022 in treeverse/lakeFS • Updated Sep 23, 2022
Package
gomod github.com/treeverse/lakefs (Go)
Affected versions
< 0.82.0
Description
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with “Authorization” header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel
Email us at [email protected]
References
- GHSA-28q9-9c3g-v3f9
- treeverse/lakeFS@81182bf
Weaknesses
GHSA ID
GHSA-28q9-9c3g-v3f9
Source code