Improper Access Control in github.com/treeverse/lakefs/pkg/gateway/operations
Package
github.com/treeverse/lakefs/pkg/gateway/operations
(lakeFS)
Affected versions
<0.81.x
Patched versions
0.82.0
Impact
Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.
Patches
lakeFS v0.82.0 and later
Workarounds
Drop specific request to the lakeFS listen port. Any request with "Authorization" header and value that starts with "AWS".
References
advisories/GHSA-28q9-9c3g-v3f9
For more information
If you have any questions or comments about this advisory:
Ask on the lakeFS Slack #help channel
Email us at security@treeverse.io