4.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
SeaweedFS: Improper authorization in the S3Tables / Iceberg REST management API lets a low-privileged S3 user enumerate administrator-owned table buckets
SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated low-privileged S3 user to enumerate administrator-owned table bucket names and ARNs. This issue is fixed in version 4.34.
References
-
https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-hgpf-8634-g44c x_refsource_CONFIRM
-
https://github.com/seaweedfs/seaweedfs/pull/9961 x_refsource_MISC
-
https://github.com/seaweedfs/seaweedfs/releases/tag/4.34 x_refsource_MISC
Affected products
- ==>= 4.08, < 4.34
Package maintainers
-
@cmacrae Calum MacRae <hi@cmacr.ae>
-
@wozeparrot Woze Parrot <wozeparrot@gmail.com>
-
@azahi Azat Bahawi <azat@bahawi.net>