Skip to content

lakeFS vulnerable to authenticated users deleting files they are not authorized to delete

High severity GitHub Reviewed Published Sep 22, 2022 in treeverse/lakeFS • Updated Jan 8, 2023

Package

gomod github.com/treeverse/lakefs (Go)

Affected versions

< 0.82.0

Patched versions

0.82.0

Description

Impact

Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.

Patches

lakeFS v0.82.0 and later

Workarounds

Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".

References

advisories/GHSA-28q9-9c3g-v3f9

For more information

If you have any questions or comments about this advisory:

Ask on the lakeFS Slack #help channel
Email us at security@treeverse.io

References

@nopcoder nopcoder published to treeverse/lakeFS Sep 22, 2022
Published to the GitHub Advisory Database Sep 23, 2022
Reviewed Sep 23, 2022
Last updated Jan 8, 2023

Severity

High

CVE ID

No known CVE

GHSA ID

GHSA-28q9-9c3g-v3f9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.