{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-28T00:00:00Z",
  "bugzilla" : {
    "description" : "minio: sensitive information exposure",
    "id" : "2283783",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2283783"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-200",
  "details" : [ "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as  `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.", "A sensitive information disclosure vulnerability was found in MinIO. Headers can be used to determine if an object exists or not on the server on a specific bucket and gain access to sensitive information." ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Will not fix",
    "package_name" : "minio",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Out of support scope",
    "package_name" : "minio",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "minio",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Not affected",
    "package_name" : "io.minio/minio",
    "cpe" : "cpe:/a:redhat:quarkus:3"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Will not fix",
    "package_name" : "minio",
    "cpe" : "cpe:/a:redhat:integration:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-36107\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36107\nhttps://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" ],
  "name" : "CVE-2024-36107",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}