CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 4CVE-2022-35919 – Authenticated requests for server update admin API allows path traversal in minio
https://notcve.org/view.php?id=CVE-2022-35919
01 Aug 2022 — MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your... • https://packetstorm.news/files/id/175010 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31028 – Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
https://notcve.org/view.php?id=CVE-2022-31028
03 Jun 2022 — MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being att... • https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24842 – Improper Privilege Management in MinIO
https://notcve.org/view.php?id=CVE-2022-24842
12 Apr 2022 — MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may wo... • https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43858 – User privilege escalation in MinIO
https://notcve.org/view.php?id=CVE-2021-43858
27 Dec 2021 — MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to dis... • https://github.com/khuntor/CVE-2021-43858-MinIO • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41137 – Bypassing policy restrictions on regular users
https://notcve.org/view.php?id=CVE-2021-41137
13 Oct 2021 — Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. • https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd • CWE-285: Improper Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2021-21390 – MITM modification of request bodies in MinIO
https://notcve.org/view.php?id=CVE-2021-21390
19 Mar 2021 — MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater ... • https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 • CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-21362 – Bypassing readOnly policy by creating a temporary 'mc share upload' URL
https://notcve.org/view.php?id=CVE-2021-21362
08 Mar 2021 — MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using ... • https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 96%CPEs: 1EXPL: 0CVE-2021-21287 – Server-Side Request Forgery in MinIO Browser API
https://notcve.org/view.php?id=CVE-2021-21287
01 Feb 2021 — MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a... • https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11012 – Authentication bypass MinIO Admin API
https://notcve.org/view.php?id=CVE-2020-11012
23 Apr 2020 — MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO versiones anteriores a la versión RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisión de autenticación en la API de administración de MinIO.... • https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923 • CWE-305: Authentication Bypass by Primary Weakness CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000538
https://notcve.org/view.php?id=CVE-2018-1000538
26 Jun 2018 — Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7. El servidor Minio S3, de Minio Inc., en versiones anteriores al RELEASE.2018-05-16T23-35-33Z... • https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220 • CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling •