Path Traversal Affecting Open this link in a new tab package, versions *

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Privileges Required


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    2 Aug 2022

  • disclosed

    2 Aug 2022

  • credit

    Lenin Alevski

How to fix?

A fix was pushed into the master branch but not yet published.

Overview is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Path Traversal which allows users authorized for admin:ServerUpdate to selectively trigger an error that in response, returns the content of the path requested.

Note: The issue was resolved since version RELEASE.2022-07-29T19-40-48Z


mc admin update alias/ /etc/passwd

The error response will contain the contents of the /etc/passwd file.


Disabling the ServerUpdate API by denying the admin:ServerUpdate action for your admin users via IAM policies.