Vulnerabilites related to MinIO - minio
CVE-2021-43858 (GCVE-0-2021-43858)
Vulnerability from cvelistv5
Published
2021-12-27 21:20
Modified
2024-08-04 04:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.197Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/13976"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/7949"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2021-12-27T07-23-18Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-27T21:20:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/13976"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/7949"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"
}
],
"source": {
"advisory": "GHSA-j6jc-jqqc-p6cx",
"discovery": "UNKNOWN"
},
"title": "User privilege escalation in MinIO",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43858",
"STATE": "PUBLIC",
"TITLE": "User privilege escalation in MinIO"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2021-12-27T07-23-18Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"
},
{
"name": "https://github.com/minio/minio/pull/13976",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/13976"
},
{
"name": "https://github.com/minio/minio/pull/7949",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/7949"
},
{
"name": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z",
"refsource": "MISC",
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"
}
]
},
"source": {
"advisory": "GHSA-j6jc-jqqc-p6cx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43858",
"datePublished": "2021-12-27T21:20:11",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:17.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11012 (GCVE-0-2020-11012)
Vulnerability from cvelistv5
Published
2020-04-23 21:55
Modified
2024-08-04 11:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Summary
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/9422"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "MinIO",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2020-04-23T00-58-49Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-23T21:55:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/9422"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
}
],
"source": {
"advisory": "GHSA-xv4r-vccv-mg4w",
"discovery": "UNKNOWN"
},
"title": "Authentication bypass MinIO Admin API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11012",
"STATE": "PUBLIC",
"TITLE": "Authentication bypass MinIO Admin API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2020-04-23T00-58-49Z"
}
]
}
}
]
},
"vendor_name": "MinIO"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-305: Authentication Bypass by Primary Weakness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
},
{
"name": "https://github.com/minio/minio/pull/9422",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/9422"
},
{
"name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
"refsource": "MISC",
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
}
]
},
"source": {
"advisory": "GHSA-xv4r-vccv-mg4w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11012",
"datePublished": "2020-04-23T21:55:14",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27589 (GCVE-0-2023-27589)
Vulnerability from cvelistv5
Published
2023-03-14 18:22
Modified
2025-02-25 14:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:36.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"
},
{
"name": "https://github.com/minio/minio/pull/16803",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/16803"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:42.987504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:57:36.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2020-12-23T02-24-12Z, \u003c RELEASE.2023-03-13T19-46-17Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T18:22:35.884Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"
},
{
"name": "https://github.com/minio/minio/pull/16803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/16803"
}
],
"source": {
"advisory": "GHSA-9wfv-wmf7-6753",
"discovery": "UNKNOWN"
},
"title": "Minio vulnerable to denial of access by an admin privileged user for root credential"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27589",
"datePublished": "2023-03-14T18:22:35.884Z",
"dateReserved": "2023-03-04T01:03:53.635Z",
"dateUpdated": "2025-02-25T14:57:36.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28433 (GCVE-0-2023-28433)
Vulnerability from cvelistv5
Published
2023-03-22 20:33
Modified
2025-02-25 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-668 - Exposure of Resource to Wrong Sphere
Summary
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
},
{
"name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
},
{
"name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:09.291844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:51:18.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2023-03-20T20-16-18Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-668",
"description": "CWE-668: Exposure of Resource to Wrong Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T20:33:43.452Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
},
{
"name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
},
{
"name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
}
],
"source": {
"advisory": "GHSA-w23q-4hw3-2pp6",
"discovery": "UNKNOWN"
},
"title": "Minio Privilege Escalation on Windows via Path separator manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28433",
"datePublished": "2023-03-22T20:33:43.452Z",
"dateReserved": "2023-03-15T15:59:10.052Z",
"dateUpdated": "2025-02-25T14:51:18.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28434 (GCVE-0-2023-28434)
Vulnerability from cvelistv5
Published
2023-03-22 20:44
Modified
2025-10-21 23:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
},
{
"name": "https://github.com/minio/minio/pull/16849",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/16849"
},
{
"name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28434",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T21:17:47.891249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-09-19",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:22.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-19T00:00:00+00:00",
"value": "CVE-2023-28434 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2023-03-20T20-16-18Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T20:44:04.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
},
{
"name": "https://github.com/minio/minio/pull/16849",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/16849"
},
{
"name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
}
],
"source": {
"advisory": "GHSA-2pxw-r47w-4p8c",
"discovery": "UNKNOWN"
},
"title": "MinIO is vulnerable to privilege escalation on Linux/MacOS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28434",
"datePublished": "2023-03-22T20:44:04.216Z",
"dateReserved": "2023-03-15T15:59:10.053Z",
"dateUpdated": "2025-10-21T23:15:22.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62506 (GCVE-0-2025-62506)
Vulnerability from cvelistv5
Published
2025-10-16 21:17
Modified
2025-10-23 19:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-17T13:51:46.931611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-17T13:52:00.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-10-23T19:03:46.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/minio/minio/issues/21647"
},
{
"url": "https://news.ycombinator.com/item?id=45684035"
},
{
"url": "https://github.com/minio/minio/discussions/21655"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2025-10-15T17-29-55Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope. The vulnerability is fixed in version RELEASE.2025-10-15T17-29-55Z."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T21:17:28.219Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr"
},
{
"name": "https://github.com/minio/minio/pull/21642",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/21642"
},
{
"name": "https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190"
}
],
"source": {
"advisory": "GHSA-jjjj-jwhf-8rgr",
"discovery": "UNKNOWN"
},
"title": "MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62506",
"datePublished": "2025-10-16T21:17:28.219Z",
"dateReserved": "2025-10-15T15:03:28.133Z",
"dateUpdated": "2025-10-23T19:03:46.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55949 (GCVE-0-2024-55949)
Vulnerability from cvelistv5
Published
2024-12-16 20:02
Modified
2024-12-16 20:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T20:18:23.221689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:18:46.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2022-06-25T15-50-16Z, \u003c RELEASE.2024-12-13T22-19-12Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T20:02:00.856Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg"
},
{
"name": "https://github.com/minio/minio/pull/20756",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/20756"
},
{
"name": "https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f"
},
{
"name": "https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427"
}
],
"source": {
"advisory": "GHSA-cwq8-g58r-32hg",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in IAM import API in MinIO"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55949",
"datePublished": "2024-12-16T20:02:00.856Z",
"dateReserved": "2024-12-13T17:39:32.960Z",
"dateUpdated": "2024-12-16T20:18:46.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21362 (GCVE-0-2021-21362)
Vulnerability from cvelistv5
Published
2021-03-08 18:40
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/11682"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2021-03-04T00-53-13Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-08T18:40:34",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/11682"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"
}
],
"source": {
"advisory": "GHSA-hq5j-6r98-9m8v",
"discovery": "UNKNOWN"
},
"title": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21362",
"STATE": "PUBLIC",
"TITLE": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2021-03-04T00-53-13Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"
},
{
"name": "https://github.com/minio/minio/pull/11682",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/11682"
},
{
"name": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z",
"refsource": "MISC",
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"
}
]
},
"source": {
"advisory": "GHSA-hq5j-6r98-9m8v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21362",
"datePublished": "2021-03-08T18:40:34",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27414 (GCVE-0-2025-27414)
Vulnerability from cvelistv5
Published
2025-02-28 21:06
Modified
2025-03-04 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T20:03:33.343916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T20:03:45.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2024-06-06T09-36-42Z, \u003c RELEASE.2025-02-28T09-55-16Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to \nRELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client\u0027s key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T21:06:58.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-wc79-7x8x-2p58",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-wc79-7x8x-2p58"
},
{
"name": "https://github.com/minio/minio/commit/4c71f1b4ec0fb2a473ddaac18c20ec9e63f267ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/4c71f1b4ec0fb2a473ddaac18c20ec9e63f267ec"
},
{
"name": "https://github.com/minio/minio/commit/91e1487de45720753c9e9e4c02b1bd16b7e452fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/91e1487de45720753c9e9e4c02b1bd16b7e452fa"
}
],
"source": {
"advisory": "GHSA-wc79-7x8x-2p58",
"discovery": "UNKNOWN"
},
"title": "MinIO SFTP authentication bypass due to improperly trusted SSH key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27414",
"datePublished": "2025-02-28T21:06:58.155Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-04T20:03:45.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36107 (GCVE-0-2024-36107)
Vulnerability from cvelistv5
Published
2024-05-28 18:50
Modified
2024-09-03 15:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of
information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:13.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
},
{
"name": "https://github.com/minio/minio/pull/19810",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/19810"
},
{
"name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "minio",
"vendor": "minio",
"versions": [
{
"lessThan": "RELEASE.2024-05-27T19-17-46Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T20:51:21.860158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:28:54.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2024-05-27T19-17-46Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-28T18:50:51.013Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9"
},
{
"name": "https://github.com/minio/minio/pull/19810",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/19810"
},
{
"name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"
}
],
"source": {
"advisory": "GHSA-95fr-cm4m-q5p9",
"discovery": "UNKNOWN"
},
"title": "Information disclosure in minio"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36107",
"datePublished": "2024-05-28T18:50:51.013Z",
"dateReserved": "2024-05-20T21:07:48.186Z",
"dateUpdated": "2024-09-03T15:28:54.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21287 (GCVE-0-2021-21287)
Vulnerability from cvelistv5
Published
2021-02-01 17:15
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/11337"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2021-01-30T00-20-58Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-01T17:15:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/11337"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z"
}
],
"source": {
"advisory": "GHSA-m4qq-5f7c-693q",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in MinIO Browser API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21287",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery in MinIO Browser API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2021-01-30T00-20-58Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q"
},
{
"name": "https://github.com/minio/minio/pull/11337",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/11337"
},
{
"name": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z",
"refsource": "MISC",
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z"
}
]
},
"source": {
"advisory": "GHSA-m4qq-5f7c-693q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21287",
"datePublished": "2021-02-01T17:15:16",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28432 (GCVE-0-2023-28432)
Vulnerability from cvelistv5
Published
2023-03-22 20:16
Modified
2025-10-21 23:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`
and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/Andrew___Morris/status/1639325397241278464"
},
{
"tags": [
"x_transferred"
],
"url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28432",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T21:16:56.029650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-04-21",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28432"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:22.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28432"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-21T00:00:00+00:00",
"value": "CVE-2023-28432 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2019-12-17T23-16-33Z, \u003c RELEASE.2023-03-20T20-16-18Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:08:29.261Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
},
{
"url": "https://twitter.com/Andrew___Morris/status/1639325397241278464"
},
{
"url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt"
},
{
"url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean"
}
],
"source": {
"advisory": "GHSA-6xvq-wj2x-3h3q",
"discovery": "UNKNOWN"
},
"title": "Minio Information Disclosure in Cluster Deployment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28432",
"datePublished": "2023-03-22T20:16:38.641Z",
"dateReserved": "2023-03-15T15:59:10.052Z",
"dateUpdated": "2025-10-21T23:15:22.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21390 (GCVE-0-2021-21390)
Vulnerability from cvelistv5
Published
2021-03-19 16:00
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Summary
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/11801"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2021-03-17T02-33-02Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-924",
"description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-19T16:00:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/11801"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0"
}
],
"source": {
"advisory": "GHSA-xr7r-7gpj-5pgp",
"discovery": "UNKNOWN"
},
"title": "MITM modification of request bodies in MinIO",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21390",
"STATE": "PUBLIC",
"TITLE": "MITM modification of request bodies in MinIO"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2021-03-17T02-33-02Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp"
},
{
"name": "https://github.com/minio/minio/pull/11801",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/11801"
},
{
"name": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0"
}
]
},
"source": {
"advisory": "GHSA-xr7r-7gpj-5pgp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21390",
"datePublished": "2021-03-19T16:00:17",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25812 (GCVE-0-2023-25812)
Vulnerability from cvelistv5
Published
2023-02-21 20:32
Modified
2025-03-10 21:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:12.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63"
},
{
"name": "https://github.com/minio/minio/pull/16635",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/16635"
},
{
"name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:01:42.841611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:48.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2020-04-10T03-34-42Z, \u003c RELEASE.2023-02-17T17-52-43Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:32:34.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63"
},
{
"name": "https://github.com/minio/minio/pull/16635",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/16635"
},
{
"name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485"
}
],
"source": {
"advisory": "GHSA-c8fc-mjj8-fc63",
"discovery": "UNKNOWN"
},
"title": "Allowed DELETE on resources on object locked buckets under Governance mode in Minio"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25812",
"datePublished": "2023-02-21T20:32:34.798Z",
"dateReserved": "2023-02-15T16:34:48.773Z",
"dateUpdated": "2025-03-10T21:07:48.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31028 (GCVE-0-2022-31028)
Vulnerability from cvelistv5
Published
2022-06-03 14:40
Modified
2025-04-22 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.192Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/14995"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:01.236333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:55:05.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-03T14:40:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/14995"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"
}
],
"source": {
"advisory": "GHSA-qrpr-r3pw-f636",
"discovery": "UNKNOWN"
},
"title": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31028",
"STATE": "PUBLIC",
"TITLE": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"
},
{
"name": "https://github.com/minio/minio/pull/14995",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/14995"
},
{
"name": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1",
"refsource": "MISC",
"url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z",
"refsource": "MISC",
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"
}
]
},
"source": {
"advisory": "GHSA-qrpr-r3pw-f636",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31028",
"datePublished": "2022-06-03T14:40:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:55:05.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24842 (GCVE-0-2022-24842)
Vulnerability from cvelistv5
Published
2022-04-12 17:20
Modified
2025-04-22 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/14729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24842",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:54.615778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:16:15.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2022-04-12T06-55-35Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-12T17:20:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/14729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3"
}
],
"source": {
"advisory": "GHSA-2j69-jjmg-534q",
"discovery": "UNKNOWN"
},
"title": "Improper Privilege Management in MinIO",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24842",
"STATE": "PUBLIC",
"TITLE": "Improper Privilege Management in MinIO"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "\u003c RELEASE.2022-04-12T06-55-35Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q"
},
{
"name": "https://github.com/minio/minio/pull/14729",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/14729"
},
{
"name": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3"
}
]
},
"source": {
"advisory": "GHSA-2j69-jjmg-534q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24842",
"datePublished": "2022-04-12T17:20:18.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:16:15.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35919 (GCVE-0-2022-35919)
Vulnerability from cvelistv5
Published
2022-08-01 00:00
Modified
2025-04-22 17:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:58.534Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/15429"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35919",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:45:19.548332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:47:58.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2022-07-29T19-40-48Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T16:06:17.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg"
},
{
"url": "https://github.com/minio/minio/pull/15429"
},
{
"url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692"
},
{
"url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html"
}
],
"source": {
"advisory": "GHSA-gr9v-6pcm-rqvg",
"discovery": "UNKNOWN"
},
"title": "Authenticated requests for server update admin API allows path traversal in minio"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35919",
"datePublished": "2022-08-01T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:47:58.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41137 (GCVE-0-2021-41137)
Vulnerability from cvelistv5
Published
2021-10-13 14:00
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/13388"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/pull/13422"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "= RELEASE.2021-10-10T16-53-30Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-13T14:00:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/13388"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/13422"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"
}
],
"source": {
"advisory": "GHSA-v64v-g97p-577c",
"discovery": "UNKNOWN"
},
"title": "Bypassing policy restrictions on regular users ",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41137",
"STATE": "PUBLIC",
"TITLE": "Bypassing policy restrictions on regular users "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "minio",
"version": {
"version_data": [
{
"version_value": "= RELEASE.2021-10-10T16-53-30Z"
}
]
}
}
]
},
"vendor_name": "minio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c",
"refsource": "CONFIRM",
"url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"
},
{
"name": "https://github.com/minio/minio/pull/13388",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/13388"
},
{
"name": "https://github.com/minio/minio/pull/13422",
"refsource": "MISC",
"url": "https://github.com/minio/minio/pull/13422"
},
{
"name": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd",
"refsource": "MISC",
"url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"
}
]
},
"source": {
"advisory": "GHSA-v64v-g97p-577c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41137",
"datePublished": "2021-10-13T14:00:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31489 (GCVE-0-2025-31489)
Vulnerability from cvelistv5
Published
2025-04-03 19:36
Modified
2025-04-03 20:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access
to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T20:36:06.237877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T20:36:19.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2025-04-03T14-56-28Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access\nto - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T19:36:09.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh"
},
{
"name": "https://github.com/minio/minio/pull/21103",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/pull/21103"
}
],
"source": {
"advisory": "GHSA-wg47-6jq2-q2hh",
"discovery": "UNKNOWN"
},
"title": "MinIO performs incomplete signature validation for unsigned-trailer uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31489",
"datePublished": "2025-04-03T19:36:09.335Z",
"dateReserved": "2025-03-28T13:36:51.298Z",
"dateUpdated": "2025-04-03T20:36:19.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24747 (GCVE-0-2024-24747)
Vulnerability from cvelistv5
Published
2024-01-31 22:10
Modified
2024-08-01 23:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "minio",
"vendor": "minio",
"versions": [
{
"lessThan": "RELEASE.2024-01-31T20-20-33Z",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24747",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T04:00:49.594536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T14:14:48.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"
},
{
"name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "minio",
"vendor": "minio",
"versions": [
{
"status": "affected",
"version": "\u003c RELEASE.2024-01-31T20-20-33Z"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-31T22:10:23.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"
},
{
"name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"
},
{
"name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"
}
],
"source": {
"advisory": "GHSA-xx8w-mq23-29g4",
"discovery": "UNKNOWN"
},
"title": "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24747",
"datePublished": "2024-01-31T22:10:23.375Z",
"dateReserved": "2024-01-29T20:51:26.009Z",
"dateUpdated": "2024-08-01T23:28:11.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}