lakeFS vulnerable to authenticated users deleting files they are not authorized to delete
Description
Published to the GitHub Advisory Database
Sep 23, 2022
Reviewed
Sep 23, 2022
Last updated
Jan 8, 2023
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel
Email us at security@treeverse.io
References