Skip to content

Instantly share code, notes, and snippets.

@iTrooz

iTrooz/CVE-2024-37865.md

Created June 17, 2024 12:48
Show Gist options
  • Save iTrooz/629bd30cfa09cc527a0859e8cca83a4b to your computer and use it in GitHub Desktop.
Save iTrooz/629bd30cfa09cc527a0859e8cca83a4b to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-37865
Raw
CVE-2024-37865.md

Description

An issue in S3Browswer v.11.4.5 and v.10.9.9 and fixed in v.11.5.7 allows a remote attacker to obtain sensitive information via the S3 compatible storage component.

Vulnerability type:

Missing SSL certificate validation

Affected product:

S3Browser - Versions 11.4.5 and 10.9.9 for sure. Older versions are not downloadable but are probably vulnerable too. Issue fixed in 11.5.7

Affected Component

"S3 compatible storage" account types

Attack type

Remote

Impact

Information disclosure

Attack vectors

A man-in-the-middle attack could disclose request and response content done by S3Browser (e.g. files written/read/listed)

Reference

https://s3browser.com/news.aspx

https://stackoverflow.com/questions/68629216/is-it-safe-in-terms-of-security-when-uploading-files-to-amazon-s3-via-http-not-t/68630023#68630023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment