Skip to content

x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028#479
Labels
excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Jun 7, 2022

CVE-2022-31028 references github.com/minio/minio, which may be a Go module.

Description:
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.

Links:

See doc/triage.md for instructions on how to triage this report.

module: github.com/minio/minio
package: minio
description: |
    MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.
cves:
  - CVE-2022-31028
links:
    pr: https://github.com/minio/minio/pull/14995
    context:
      - https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1
      - https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z
      - https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions