[github.com/treeverse/lakefs] lakeFS vulnerable to authenticated users deleting files they are not authorized to delete

Impact

Authenticated users can send a request to delete-objects through the s3 gateway and delete files they are not authorized to delete.

Patches

lakeFS v0.82.0 and later

Workarounds

Drop specific request to the lakeFS listen port. Any request with “Authorization” header and value that starts with “AWS”.

References

advisories/GHSA-28q9-9c3g-v3f9

For more information

If you have any questions or comments about this advisory:

Ask on the lakeFS Slack #help channel
Email us at security@treeverse.io

References

• https://github.com/treeverse/lakeFS/security/advisories/GHSA-28q9-9c3g-v3f9
• https://github.com/treeverse/lakeFS/commit/81182bf9c0cf57f3cec3c893cf739b2069305e37
• https://github.com/advisories/GHSA-28q9-9c3g-v3f9