CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27414 – MinIO SFTP authentication bypass due to improperly trusted SSH key
https://notcve.org/view.php?id=CVE-2025-27414
28 Feb 2025 — MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server ... • https://github.com/minio/minio/commit/4c71f1b4ec0fb2a473ddaac18c20ec9e63f267ec • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55949 – Privilege escalation in IAM import API in MinIO
https://notcve.org/view.php?id=CVE-2024-55949
16 Dec 2024 — MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately. • https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36107 – Information disclosure in minio
https://notcve.org/view.php?id=CVE-2024-36107
28 May 2024 — MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of information such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata val... • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 3CVE-2024-24747 – MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation
https://notcve.org/view.php?id=CVE-2024-24747
31 Jan 2024 — MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. • https://packetstorm.news/files/id/178031 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33955 – Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited
https://notcve.org/view.php?id=CVE-2023-33955
30 May 2023 — Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. • https://github.com/minio/console/commit/17e791afb90c9ad27c65f63c6be14f2f6a3a9d60 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 2CVE-2023-28434 – MinIO Security Feature Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-28434
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. • https://github.com/AbelChe/evil_minio • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28433 – Minio Privilege Escalation on Windows via Path separator manipulation
https://notcve.org/view.php?id=CVE-2023-28433
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. • https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 93%CPEs: 1EXPL: 22CVE-2023-28432 – MinIO Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-28432
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio is a Multi-Cloud Object Storage framework. • https://packetstorm.news/files/id/180666 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27589 – Minio vulnerable to denial of access by an admin privileged user for root credential
https://notcve.org/view.php?id=CVE-2023-27589
14 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`. • https://github.com/minio/minio/pull/16803 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25812 – Allowed DELETE on resources on object locked buckets under Governance mode in Minio
https://notcve.org/view.php?id=CVE-2023-25812
21 Feb 2023 — Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. • https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485 • CWE-281: Improper Preservation of Permissions •