CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 2CVE-2023-28434 – MinIO Security Feature Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-28434
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. • https://github.com/AbelChe/evil_minio • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28433 – Minio Privilege Escalation on Windows via Path separator manipulation
https://notcve.org/view.php?id=CVE-2023-28433
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. • https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 93%CPEs: 1EXPL: 22CVE-2023-28432 – MinIO Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-28432
22 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio is a Multi-Cloud Object Storage framework. • https://packetstorm.news/files/id/180666 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27589 – Minio vulnerable to denial of access by an admin privileged user for root credential
https://notcve.org/view.php?id=CVE-2023-27589
14 Mar 2023 — Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`. • https://github.com/minio/minio/pull/16803 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25812 – Allowed DELETE on resources on object locked buckets under Governance mode in Minio
https://notcve.org/view.php?id=CVE-2023-25812
21 Feb 2023 — Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. • https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485 • CWE-281: Improper Preservation of Permissions •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 4CVE-2022-35919 – Authenticated requests for server update admin API allows path traversal in minio
https://notcve.org/view.php?id=CVE-2022-35919
01 Aug 2022 — MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your... • https://packetstorm.news/files/id/175010 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31028 – Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO
https://notcve.org/view.php?id=CVE-2022-31028
03 Jun 2022 — MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being att... • https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24842 – Improper Privilege Management in MinIO
https://notcve.org/view.php?id=CVE-2022-24842
12 Apr 2022 — MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may wo... • https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41137 – Bypassing policy restrictions on regular users
https://notcve.org/view.php?id=CVE-2021-41137
13 Oct 2021 — Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. • https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd • CWE-285: Improper Authorization •