MinIO performs incomplete signature validation for unsigned-trailer uploads

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.

N/A

密码学签名的验证不恰当

MinIO 数据伪造问题漏洞

MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO存在数据伪造问题漏洞，该漏洞源于授权签名组件可能无效，可能导致任意对象上传。

N/A

N/A