MinIO Java SDK XML Tag Value Substitution Vulnerability Leading to Information Disclosure

A vulnerability exists in MinIO Java SDK versions prior to 8.6.0, where XML tag values referencing system properties or environment variables were automatically replaced with their actual values during processing. This unintended behavior could result in the exposure of sensitive information, such as credentials, file paths, or system configuration details, if the XML content came from untrusted sources. All applications using affected versions of the MinIO Java SDK to parse XML with potentially untrusted input are vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, allowing attackers to extract sensitive data from system properties or environment variables. This could compromise the security of applications that rely on the MinIO Java SDK for object storage operations.

Remediation

Users are advised to upgrade to MinIO Java SDK version 8.6.0 or later, where this vulnerability has been addressed by disabling the automatic substitution of XML tag values with system properties or environment variables. For those unable to upgrade immediately, it is recommended to avoid processing XML from untrusted sources and to implement input validation to remove references to system properties or environment variables.