FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

minio -- MITM attack

Affected packages
minio < 2021.


VuXML ID b073677f-253a-41f9-bf2b-2d16072a25f6
Discovery 2021-03-17
Entry 2021-03-17

minio developer report:

This is a security issue because it enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures.

In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.