GHSA-fvv5-h29g-f6w5: 
vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-fvv5-h29g-f6w5) was discovered in lakeFS versions 0.90.0 through 1.12.0. The vulnerability, disclosed on February 22, 2024, affects the permissions validation system in the lakeFS software, allowing users with specific permission combinations to bypass read checks when copying objects (GitHub Advisory).

The vulnerability stems from a bug in permissions validation that allows users with ci:ReadAction permission to circumvent read checks during object copying operations. The vulnerability has a CVSS v3.1 score of 5.3 (Moderate), with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: None (GitHub Advisory).

When exploited, this vulnerability allows users to access otherwise unreadable objects by copying them to paths where they have read and write permissions. The impact primarily affects confidentiality, as users can potentially access data they shouldn't have permission to read (GitHub Advisory).

The vulnerability has been patched in lakeFS version 1.12.1. For affected versions, users can implement workarounds by using RBAC to deny ci:* permissions to all users or to users with limited read access. Several installation types are naturally unaffected: installations using ACLs, and RBAC installations using only predefined policies with 'all' ARNs. The vulnerability only affects RBAC installations with specific permission combinations (GitHub Advisory).