← back to lessons

Cycle 239d - Centralized authz gate (MinIO) resists the incomplete-patch class that per-handler checks (Gitea) invite. Cross-target META.

Date: 2026-06-13 | Targets: MinIO (self-hosted) vs Gitea (same session) | Result: MinIO WALK CLEAN - CVE-2025-62506 reproduced (lane-validated on IAM privesc), fix verified COMPLETE at HEAD; no new finding.

What happened

Reproduced CVE-2025-62506 (service-account/STS session-policy bypass privesc) live on MinIO RELEASE.2024-06-13 AND on the current minio/minio:latest (2025-09-07): a service account SA1 restricted by an inline session policy P1 creates a child service account SA2 for the same parent user; SA2 comes back Policy: implied and escapes P1 entirely (reads a bucket P1 forbade, lists all buckets). Backend/API-confirmable via mc - validated the active-self-host lane on a 3rd bug class (IAM authz-logic privesc) and 3rd product.

Then ran the Rule-38.4 incomplete-patch check at HEAD (2026-02-12, which carries the 2025-10-15 fix). Fix is COMPLETE and I could not surface a sibling bypass.

The META lesson (bank - cross-target, high value)

Where authorization is enforced determines whether incomplete-patch bugs are even POSSIBLE.

Hunt heuristic: when you find a per-handler authz pattern, the set-difference primitive (cycle239) is high-yield - enumerate {routes with privileged auth} - {routes calling the check}. When you find a CENTRALIZED gate that overrides per-call args, the incomplete-patch angle is low-yield; pivot to the gate's own logic (does the central check itself have a bypass: claim-parsing, type-confusion, empty-policy fallthrough, the subPolicy.Version=="" reject, etc.) rather than hunting missed endpoints.

This tells you, EARLY and cheaply, whether incomplete-patch hunting will pay off on a given target: grep how the authz decision is wired before enumerating endpoints.

Operational note (not a finding - known CVE, distribution lag)

minio/minio:latest on Docker Hub resolves to RELEASE.2025-09-07 = still vulnerable to the published CVE-2025-62506. The fixed RELEASE.2025-10-15 is NOT pullable as a community image (tags after 2025-09-07 404; MinIO community releases appear paused, repo HEAD README "clarifies state of the project"). Anyone pulling minio/minio:latest today gets a build vulnerable to a published privesc. Defensive-advisory-worthy for clients, but it is the known CVE + a packaging-lag, not a novel vuln, so not staged as a finding.

Cost note

This was the productive endgame of a long session. Empirical patch-completeness was blocked (no patched community image), so the check fell to source white-box; it returned "fix complete." Banked the META + stopped - no source-only unconfirmable claims (doctrine).

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min