// For flags

CVE-2020-11012

Authentication bypass MinIO Admin API

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

MinIO versiones anteriores a la versión RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisión de autenticación en la API de administración de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versión RELEASE.2020-04-23T00-58-49Z.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-30 CVE Reserved
  • 2020-04-23 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-305: Authentication Bypass by Primary Weakness
  • CWE-755: Improper Handling of Exceptional Conditions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Minio
Search vendor "Minio"
 Minio
Search vendor "Minio" for product "Minio"
 < 2020-04-23t00-58-49z
Search vendor "Minio" for product "Minio" and version " < 2020-04-23t00-58-49z"
-
Affected