CVE-2022-23232

Name of the Vulnerable Software and Affected Versions StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0

Description The issue allows disabled, expired, or locked external user accounts to access S3 data to which they previously had access. In StorageGRID 11.6.0, the user account status is obtained from Active Directory or Azure, and S3 access is blocked for disabled user accounts during the subsequent background synchronization. However, user accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure, must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager.

Recommendations For versions prior to 11.6.0, manually remove expired or locked user accounts from group memberships or remove their S3 keys from Tenant Manager to prevent unauthorized access. For user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure, manually remove them from group memberships or remove their S3 keys from Tenant Manager in all versions of StorageGRID. Update to StorageGRID 11.6.0 to obtain user account status from Active Directory or Azure and block S3 access for disabled user accounts during background synchronization.