x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107

[GoVulnBot]

CVE-2024-36107 references github.com/minio/minio, which may be a Go module.

Description:
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. If-Modified-Since and If-Unmodified-Since headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of
information such as Last-Modified (of the latest version), Etag (of the latest version), x-amz-version-id (of the latest version), Expires (metadata value of the latest version), Cache-Control (metadata value of the latest version). This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit e0fe7cc3917. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-36107
• JSON: https://github.com/CVEProject/cvelist/tree/4ecc342d262e487e4f60f75aa778e1a9e556ef7c/2024/36xxx/CVE-2024-36107.json
• advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36107
• fix: minio/minio@e0fe7cc
• fix: fix: information disclosure bug in preconditions GET minio/minio#19810
• web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
• web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since
• web: GHSA-95fr-cm4m-q5p9
• Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby

Cross references:

• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206 LEGACY_FALSE_POSITIVE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267 LEGACY_FALSE_POSITIVE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318 LEGACY_FALSE_POSITIVE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322 LEGACY_FALSE_POSITIVE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/minio/minio
      vulnerable_at: 0.0.0-20240528192304-2f64d5f77e91
      packages:
        - package: minio
summary: CVE-2024-36107 in github.com/minio/minio
cves:
    - CVE-2024-36107
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36107
    - fix: https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272
    - fix: https://github.com/minio/minio/pull/19810
    - web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since
    - web: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since
    - web: https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9
source:
    id: CVE-2024-36107
    created: 2024-05-28T20:01:37.683465851Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/590277 mentions this issue: data/reports: add 26 unreviewed reports

[gopherbot]

Change https://go.dev/cl/606359 mentions this issue: data/reports: regenerate 50 reports