# Vulnerability Summary ## Overview This vulnerability involves a misconfiguration issue with the chunk size setting in the MinIO object storage server when handling multipart uploads. When a client uses the AWS SDK to upload large files, an improperly configured chunk size (e.g., set to 64MB) can cause the MinIO server to reject the upload request. ## Impact Scope - Clients using the AWS SDK to upload large files - Multipart upload scenarios with a specific chunk size configuration - Especially when the chunk size is set to 64MB ## Remediation 1. Adjust the chunk size configuration to avoid using large values such as 64MB 2. Use a more reasonable chunk size (e.g., 4MB) 3. Correctly configure multipart upload parameters in the client code ## POC Code ```bash # Configure AWS CLI to use 64MB chunk size aws configure --profile test-elm set s3.multipart_chunksize 64MB # Upload file for testing aws s3 cp /tmp/r.6 --profile test-elm --bucket jlar --key x.6 --use-path-style # Example Go code mpf, err := s3checksum.NewMultipartFile(s3checksum.MultipartFileOpts{ FilePath: file, ManifestFile: manifestFile, PartSize: chunkSize * 1024 * 1024, Threads: threads, }) # Uploader configuration uploader := manager.NewUploader(client, func(u *manager.Uploader) { u.PartSize = opts.PartSize u.Concurrency = opts.NumUploadLines }) ```