Headline
GHSA-jv3f-7m33-qp65: Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited
Impact
Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename.
Reported-By
Thanks to the report from Mio Li [email protected]
Patches
commit 17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
Author: Daniel Valdivia <[email protected]>
Date: Tue May 23 08:47:12 2023 -0700
Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
Signed-off-by: Daniel Valdivia <[email protected]>
Workarounds
Workarounds are to remove the concerned file and rewrite it properly with the right file and extensions. Avoid using RTLO characters in your filenames.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-33955
Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited
Low severity GitHub Reviewed Published May 25, 2023 in minio/console • Updated May 26, 2023
Package
gomod github.com/minio/console (Go)
Affected versions
< 0.28.0
Impact
Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename.
Reported-By
Thanks to the report from Mio Li [email protected]
Patches
commit 17e791afb90c9ad27c65f63c6be14f2f6a3a9d60
Author: Daniel Valdivia <[email protected]>
Date: Tue May 23 08:47:12 2023 -0700
Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828)
Signed-off-by: Daniel Valdivia <[email protected]>
Workarounds
Workarounds are to remove the concerned file and rewrite it properly with the right file and extensions. Avoid using RTLO characters in your filenames.
References
- GHSA-jv3f-7m33-qp65
- minio/console@17e791a
Published to the GitHub Advisory Database
May 26, 2023
Last updated
May 26, 2023
Related news
Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0.