MinIO Object Storage Read-Only Policy Bypass Vulnerability

A vulnerability exists in MinIO, an open-source object storage service compatible with Amazon S3, prior to version RELEASE.2021-03-04T00-53-13Z. The issue allows users to bypass a readOnly policy by generating a temporary 'mc share upload' URL. This vulnerability affects all users of MinIO's multi-user feature.

Impact

Exploitation of this vulnerability allows for unauthorized write access to objects, bypassing the intended read-only restrictions.

Reproduction

To reproduce this vulnerability, create a temporary 'mc share upload' URL using the MinIO client (mc) while the readOnly policy is in effect. This URL can then be used to upload objects, effectively bypassing the policy restrictions.

Remediation

Users are advised to upgrade to MinIO version RELEASE.2021-03-04T00-53-13Z or later. For those unable to upgrade, as a temporary workaround, disable uploads with 'Content-Type: multipart/form-data' using a proxy in front of MinIO.