x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-3rh2-v3gr-35p9 #4896
Description
Advisory GHSA-3rh2-v3gr-35p9 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/minio/minio |
Description:
Impact
What kind of vulnerability is it? Who is impacted?
A flaw in extractMetadataFromMime() allows any authenticated user with s3:PutObject permission to inject internal server-side encryption metadata into objects by sending crafted X-Minio-Replication-* headers on a normal PutObject request. The server unconditionally maps these headers to X-Minio-Internal-* encryption metadata without verifying that the request is a legitimate replication request. Objects written this way carry bogus encryption keys and become permanently unreadable through the S3 API.
Any authenticate...
References:
- ADVISORY: GHSA-3rh2-v3gr-35p9
- ADVISORY: GHSA-3rh2-v3gr-35p9
- WEB: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition
Cross references:
- github.com/minio/minio appears in 21 other report(s):
- data/excluded/GO-2022-0285.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0421.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0479.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0756.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1591.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1634.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1667.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1668.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1669.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2206.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2267.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2318.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318) LEGACY_FALSE_POSITIVE
- data/excluded/GO-2023-2322.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322) LEGACY_FALSE_POSITIVE
- data/reports/GO-2024-2499.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499)
- data/reports/GO-2024-2886.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107 #2886)
- data/reports/GO-2024-3336.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-cwq8-g58r-32hg #3336)
- data/reports/GO-2025-3495.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2025-27414 #3495)
- data/reports/GO-2025-3594.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-wg47-6jq2-q2hh #3594)
- data/reports/GO-2025-4034.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-jjjj-jwhf-8rgr #4034)
- data/reports/GO-2026-4779.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-5cx5-wh4m-82fh #4779)
- data/reports/GO-2026-4803.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-jv87-32hw-hh99 #4803)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/minio/minio
non_go_versions:
- introduced: TODO (earliest fixed "", vuln range ">= 0.0.0-20240328174456-468a9fae83e9, <= 0.0.0-20260212201848-7aac2a2c5b7c")
vulnerable_at: 0.0.0-20260212201848-7aac2a2c5b7c
summary: MinIO is Vulnerable to SSE Metadata Injection via Replication Headers in github.com/minio/minio
cves:
- CVE-2026-34204
ghsas:
- GHSA-3rh2-v3gr-35p9
references:
- advisory: https://github.com/advisories/GHSA-3rh2-v3gr-35p9
- advisory: https://github.com/minio/minio/security/advisories/GHSA-3rh2-v3gr-35p9
- web: https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition
source:
id: GHSA-3rh2-v3gr-35p9
created: 2026-03-27T23:01:13.88418032Z
review_status: UNREVIEWED