CVE-2023-33955
Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited
Description
### Impact Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. ### Reported-By Thanks to the report from Mio Li [[email protected]](mailto:[email protected]) ### Patches ``` commit 17e791afb90c9ad27c65f63c6be14f2f6a3a9d60 Author: Daniel Valdivia <[email protected]> Date: Tue May 23 08:47:12 2023 -0700 Replace RIGHT-TO-LEFT OVERRIDE unicode (#2828) Signed-off-by: Daniel Valdivia <[email protected]> ``` ### Workarounds Workarounds are to remove the concerned file and rewrite it properly with the right file and extensions. Avoid using RTLO characters in your filenames.
How to fix CVE-2023-33955
To remediate CVE-2023-33955, upgrade the affected package to a fixed version below.
- —upgrade to 0.28.0 or later
Is CVE-2023-33955 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.28.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |