cvelistv5 - cve-2024-36107

CVE-2024-36107 (GCVE-0-2024-36107)

Vulnerability from cvelistv5 – Published: 2024-05-28 18:50 – Updated: 2024-09-03 15:28

Summary

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/minio/minio/security/advisorie…	x_refsource_CONFIRM
	https://github.com/minio/minio/pull/19810	x_refsource_MISC
	https://github.com/minio/minio/commit/e0fe7cc3917…	x_refsource_MISC
	https://developer.mozilla.org/en-US/docs/Web/HTTP…	x_refsource_MISC
	https://developer.mozilla.org/en-US/docs/Web/HTTP…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	minio	minio	Affected: < RELEASE.2024-05-27T19-17-46Z

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:30:13.046Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
          },
          {
            "name": "https://github.com/minio/minio/pull/19810",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/pull/19810"
          },
          {
            "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "minio",
            "vendor": "minio",
            "versions": [
              {
                "lessThan": "RELEASE.2024-05-27T19-17-46Z",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36107",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-06T20:51:21.860158Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T15:28:54.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minio",
          "vendor": "minio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c RELEASE.2024-05-27T19-17-46Z"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-28T18:50:51.013Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
        },
        {
          "name": "https://github.com/minio/minio/pull/19810",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/pull/19810"
        },
        {
          "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
        },
        {
          "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
        },
        {
          "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
        }
      ],
      "source": {
        "advisory": "GHSA-95fr-cm4m-q5p9",
        "discovery": "UNKNOWN"
      },
      "title": "Information disclosure in minio"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-36107",
    "datePublished": "2024-05-28T18:50:51.013Z",
    "dateReserved": "2024-05-20T21:07:48.186Z",
    "dateUpdated": "2024-09-03T15:28:54.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.\"}, {\"lang\": \"es\", \"value\": \"MinIO es un almacenamiento de objetos de alto rendimiento lanzado bajo la licencia p\\u00fablica general GNU Affero v3.0. Los encabezados `If-Modified-Since` y `If-Unmodified-Since` cuando se usan con solicitudes an\\u00f3nimas enviando un nombre de objeto aleatorio, las solicitudes se pueden usar para determinar si un objeto existe o no en el servidor en un dep\\u00f3sito espec\\u00edfico y tambi\\u00e9n obtener acceso a cierta cantidad de informaci\\u00f3n como `\\u00daltima modificaci\\u00f3n (de la \\u00faltima versi\\u00f3n)`, `Etag (de la \\u00faltima versi\\u00f3n)`, `x-amz-version-id (de la \\u00faltima versi\\u00f3n)`, `Expira (valor de metadatos) de la \\u00faltima versi\\u00f3n)`, `Cache-Control (valor de metadatos de la \\u00faltima versi\\u00f3n)`. Esta verificaci\\u00f3n condicional se cumpli\\u00f3 antes de validar si realmente se permite el acceso an\\u00f3nimo a los metadatos de un objeto. Este problema se solucion\\u00f3 en el commit \\\"e0fe7cc3917\\\". Los usuarios deben actualizar a RELEASE.2024-05-27T19-17-46Z para obtener la soluci\\u00f3n. No se conocen workarounds para este problema.\"}]",
      "id": "CVE-2024-36107",
      "lastModified": "2024-11-21T09:21:37.483",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2024-05-28T19:15:10.687",
      "references": "[{\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/minio/minio/pull/19810\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/minio/minio/pull/19810\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-36107\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-28T19:15:10.687\",\"lastModified\":\"2024-11-21T09:21:37.483\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.\"},{\"lang\":\"es\",\"value\":\"MinIO es un almacenamiento de objetos de alto rendimiento lanzado bajo la licencia p\u00fablica general GNU Affero v3.0. Los encabezados `If-Modified-Since` y `If-Unmodified-Since` cuando se usan con solicitudes an\u00f3nimas enviando un nombre de objeto aleatorio, las solicitudes se pueden usar para determinar si un objeto existe o no en el servidor en un dep\u00f3sito espec\u00edfico y tambi\u00e9n obtener acceso a cierta cantidad de informaci\u00f3n como `\u00daltima modificaci\u00f3n (de la \u00faltima versi\u00f3n)`, `Etag (de la \u00faltima versi\u00f3n)`, `x-amz-version-id (de la \u00faltima versi\u00f3n)`, `Expira (valor de metadatos) de la \u00faltima versi\u00f3n)`, `Cache-Control (valor de metadatos de la \u00faltima versi\u00f3n)`. Esta verificaci\u00f3n condicional se cumpli\u00f3 antes de validar si realmente se permite el acceso an\u00f3nimo a los metadatos de un objeto. Este problema se solucion\u00f3 en el commit \\\"e0fe7cc3917\\\". Los usuarios deben actualizar a RELEASE.2024-05-27T19-17-46Z para obtener la soluci\u00f3n. No se conocen workarounds para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/minio/minio/pull/19810\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/minio/minio/pull/19810\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/pull/19810\", \"name\": \"https://github.com/minio/minio/pull/19810\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"name\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:30:13.046Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-36107\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-06T20:51:21.860158Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\"], \"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"RELEASE.2024-05-27T19-17-46Z\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T15:28:47.752Z\"}}], \"cna\": {\"title\": \"Information disclosure in minio\", \"source\": {\"advisory\": \"GHSA-95fr-cm4m-q5p9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c RELEASE.2024-05-27T19-17-46Z\"}]}], \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/minio/minio/pull/19810\", \"name\": \"https://github.com/minio/minio/pull/19810\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"name\": \"https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-28T18:50:51.013Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-36107\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-03T15:28:54.674Z\", \"dateReserved\": \"2024-05-20T21:07:48.186Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-28T18:50:51.013Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-36107

Vulnerability from fkie_nvd - Published: 2024-05-28 19:15 - Updated: 2024-11-21 09:21

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
	security-advisories@github.com	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since
	security-advisories@github.com	https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272
	security-advisories@github.com	https://github.com/minio/minio/pull/19810
	security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9
	af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
	af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/pull/19810
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue."
    },
    {
      "lang": "es",
      "value": "MinIO es un almacenamiento de objetos de alto rendimiento lanzado bajo la licencia p\u00fablica general GNU Affero v3.0. Los encabezados `If-Modified-Since` y `If-Unmodified-Since` cuando se usan con solicitudes an\u00f3nimas enviando un nombre de objeto aleatorio, las solicitudes se pueden usar para determinar si un objeto existe o no en el servidor en un dep\u00f3sito espec\u00edfico y tambi\u00e9n obtener acceso a cierta cantidad de informaci\u00f3n como `\u00daltima modificaci\u00f3n (de la \u00faltima versi\u00f3n)`, `Etag (de la \u00faltima versi\u00f3n)`, `x-amz-version-id (de la \u00faltima versi\u00f3n)`, `Expira (valor de metadatos) de la \u00faltima versi\u00f3n)`, `Cache-Control (valor de metadatos de la \u00faltima versi\u00f3n)`. Esta verificaci\u00f3n condicional se cumpli\u00f3 antes de validar si realmente se permite el acceso an\u00f3nimo a los metadatos de un objeto. Este problema se solucion\u00f3 en el commit \"e0fe7cc3917\". Los usuarios deben actualizar a RELEASE.2024-05-27T19-17-46Z para obtener la soluci\u00f3n. No se conocen workarounds para este problema."
    }
  ],
  "id": "CVE-2024-36107",
  "lastModified": "2024-11-21T09:21:37.483",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-28T19:15:10.687",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/minio/minio/pull/19810"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/minio/minio/pull/19810"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-95FR-CM4M-Q5P9

Vulnerability from github – Published: 2024-05-29 18:37 – Updated: 2024-05-29 18:37

Summary

MinIO information disclosure vulnerability

Details

Impact

If-Modified-Since If-Unmodified-Since

Headers when used with anonymous requests by sending a random object name requests you can figure out if the object exists or not on the server on a specific bucket and also gain access to some amount of information such as

Last-Modified (of the latest version)
Etag (of the latest version) 
x-amz-version-id (of the latest version)
Expires (metadata value of the latest version)
Cache-Control (metadata value of the latest version)

This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object.

Patches

Yes this issue has been already fixed in

commit e0fe7cc391724fc5baa85b45508f425020fe4272 (HEAD -> master, origin/master)
Author: Harshavardhana <harsha@minio.io>
Date:   Mon May 27 12:17:46 2024 -0700

    fix: information disclosure bug in preconditions GET (#19810)

    precondition check was being honored before, validating
    if anonymous access is allowed on the metadata of an
    object, leading to metadata disclosure of the following
    headers.

    ```
    Last-Modified
    Etag
    x-amz-version-id
    Expires:
    Cache-Control:
    ```

    although the information presented is minimal in nature,
    and of opaque nature. It still simply discloses that an
    object by a specific name exists or not without even having
    enough permissions.

Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix

Workarounds

There are no workarounds.

References

Refer to the pull request #19810 for more information on the fix.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20240527191746-e0fe7cc39172"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T18:37:14Z",
    "nvd_published_at": "2024-05-28T19:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n[If-Modified-Since](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since)\n[If-Unmodified-Since](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since) \n\nHeaders when used with anonymous requests by sending a random object name requests you can figure\nout if the object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as  \n\n```\nLast-Modified (of the latest version)\nEtag (of the latest version) \nx-amz-version-id (of the latest version)\nExpires (metadata value of the latest version)\nCache-Control (metadata value of the latest version)\n```\n\nThis conditional check was being honored before validating if the anonymous\naccess is indeed allowed on the metadata of an object.\n\n### Patches\nYes this issue has been already fixed in \n\n```\ncommit e0fe7cc391724fc5baa85b45508f425020fe4272 (HEAD -\u003e master, origin/master)\nAuthor: Harshavardhana \u003charsha@minio.io\u003e\nDate:   Mon May 27 12:17:46 2024 -0700\n\n    fix: information disclosure bug in preconditions GET (#19810)\n    \n    precondition check was being honored before, validating\n    if anonymous access is allowed on the metadata of an\n    object, leading to metadata disclosure of the following\n    headers.\n    \n    ```\n    Last-Modified\n    Etag\n    x-amz-version-id\n    Expires:\n    Cache-Control:\n    ```\n    \n    although the information presented is minimal in nature,\n    and of opaque nature. It still simply discloses that an\n    object by a specific name exists or not without even having\n    enough permissions.\n```\n\nUsers must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix\n\n### Workarounds\nThere are no workarounds.\n\n### References\nRefer to the pull request #19810 for more information on the fix.",
  "id": "GHSA-95fr-cm4m-q5p9",
  "modified": "2024-05-29T18:37:14Z",
  "published": "2024-05-29T18:37:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36107"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/19810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MinIO information disclosure vulnerability"
}

CNVD-2024-25257

Vulnerability from cnvd - Published: 2024-05-30

Title

MinIO信息泄露漏洞（CNVD-2024-25257）

Description

MinIO是一款高性能的对象存储服务，采用GNU Affero通用公共许可证v3.0发布。 MinIO RELEASE.2022-10-02T19-29-29Z版本存在安全漏洞，该漏洞源于GetObject存在If-Modified-Since、If-Unmodified-Since标头的信息泄露。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

MinIO信息泄露漏洞（CNVD-2024-25257）的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://github.com/minio/minio

Reference

https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9

Impacted products

Name
MinIO MinIO <RELEASE.2024-05-27T19-17-46Z

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-36107",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-36107"
    }
  },
  "description": "MinIO\u662f\u4e00\u6b3e\u9ad8\u6027\u80fd\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\uff0c\u91c7\u7528GNU Affero\u901a\u7528\u516c\u5171\u8bb8\u53ef\u8bc1v3.0\u53d1\u5e03\u3002\n\nMinIO RELEASE.2022-10-02T19-29-29Z\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eGetObject\u5b58\u5728If-Modified-Since\u3001If-Unmodified-Since\u6807\u5934\u7684\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://github.com/minio/minio",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-25257",
  "openTime": "2024-05-30",
  "patchDescription": "MinIO\u662f\u4e00\u6b3e\u9ad8\u6027\u80fd\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\uff0c\u91c7\u7528GNU Affero\u901a\u7528\u516c\u5171\u8bb8\u53ef\u8bc1v3.0\u53d1\u5e03\u3002\r\n\r\nMinIO RELEASE.2022-10-02T19-29-29Z\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eGetObject\u5b58\u5728If-Modified-Since\u3001If-Unmodified-Since\u6807\u5934\u7684\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "MinIO\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2024-25257\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "MinIO MinIO \u003cRELEASE.2024-05-27T19-17-46Z"
  },
  "referenceLink": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9",
  "serverity": "\u4e2d",
  "submitTime": "2024-05-29",
  "title": "MinIO\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2024-25257\uff09"
}

WID-SEC-W-2024-1250

Vulnerability from csaf_certbund - Published: 2024-05-28 22:00 - Updated: 2024-05-28 22:00

Summary

MinIO: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MinIO ist ein S3-kompatibler Objektspeicher, der für groß angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er läuft "on-premise" und in jeder Cloud.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in MinIO ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MinIO ist ein S3-kompatibler Objektspeicher, der f\u00fcr gro\u00df angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er l\u00e4uft \"on-premise\" und in jeder Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in MinIO ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1250 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1250.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1250 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1250"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2283783 vom 2024-05-28",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2283783"
      },
      {
        "category": "external",
        "summary": "GitHub Database",
        "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
      }
    ],
    "source_lang": "en-US",
    "title": "MinIO: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2024-05-28T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:09:38.014+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1250",
      "initial_release_date": "2024-05-28T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-05-28T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cRELEASE.2024-05-27T19-17-46Z",
                "product": {
                  "name": "Open Source MinIO \u003cRELEASE.2024-05-27T19-17-46Z",
                  "product_id": "T035103"
                }
              }
            ],
            "category": "product_name",
            "name": "MinIO"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-36107",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in MinIO. Dieser Fehler besteht im GetObject mit If-Modified-Since- und If-Unmodified-Since-Headern aufgrund einer unsachgem\u00e4\u00dfen Zugriffsverwaltung. Durch das Senden von zuf\u00e4lligen Objektnamenanfragen kann ein entfernter, anonymer Angreifer herausfinden, ob das Objekt auf dem Server in einem bestimmten Bucket besteht oder nicht und diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2024-05-28T22:00:00.000+00:00",
      "title": "CVE-2024-36107"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-36107 (GCVE-0-2024-36107)

FKIE_CVE-2024-36107

GHSA-95FR-CM4M-Q5P9

Impact

Patches

Workarounds

References

CNVD-2024-25257

WID-SEC-W-2024-1250

Tags

Sightings

Nomenclature