Impact
Everyone is impacted who uses MinIO multi-users.
Patches
Users are advised to upgrade to RELEASE.2021-03-04T00-53-13Z to fix this problem.
The problem is sufficiently addressed by this PR #11682
Workarounds
Disable uploads with Content-Type: multipart/form-data
as mentioned in the S3 API https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html by using a proxy in front of MinIO.
References
This issue was directly reported to us at security@minio.io and successfully reproduced by @vonera
For more information
If you have any questions or comments about this advisory:
Impact
Everyone is impacted who uses MinIO multi-users.
Patches
Users are advised to upgrade to RELEASE.2021-03-04T00-53-13Z to fix this problem.
The problem is sufficiently addressed by this PR #11682
Workarounds
Disable uploads with
Content-Type: multipart/form-data
as mentioned in the S3 API https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html by using a proxy in front of MinIO.References
This issue was directly reported to us at security@minio.io and successfully reproduced by @vonera
For more information
If you have any questions or comments about this advisory: