All the vulnerabilites related to minio - minio
var-202303-1848
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket
. To carry out this attack, the attacker requires credentials with arn:aws:s3:::*
permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off
. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1848", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2023-03-20t20-16-18z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28434" } ] }, "cve": "CVE-2023-28434", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28434", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28434", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28434", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1792", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "VULMON", "id": "CVE-2023-28434" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28434", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005843", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1792", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28434", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "id": "VAR-202303-1848", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-06-26T23:18:41.829000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230916" }, { "title": "", "trust": 0.1, "url": "https://github.com/mr-xn/cve-2023-28434 " } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-2pxw-r47w-4p8c" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16849" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28434" }, { "trust": 0.8, "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28434/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://github.com/mr-xn/cve-2023-28434" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28434" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "date": "2023-03-22T21:15:18.427000", "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28434" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "date": "2024-06-21T16:12:41.387000", "db": "NVD", "id": "CVE-2023-28434" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1792" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1792" } ], "trust": 0.6 } }
var-202303-1844
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD
, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information may be obtained
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1844", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2019-12-17t23-16-33z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2019-12-17t23-16-33z that\u0027s all 2023-03-20t20-16-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "versionStartIncluding": "2019-12-17t23-16-33z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28432" } ] }, "cve": "CVE-2023-28432", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28432", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28432", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28432", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1795", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information may be obtained", "sources": [ { "db": "NVD", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "VULMON", "id": "CVE-2023-28432" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28432", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005841", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1795", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28432", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "id": "VAR-202303-1844", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-06-29T23:03:55.394000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Repair measures for information disclosure vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230693" }, { "title": "", "trust": 0.1, "url": "https://github.com/atk7r/taichi " } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://github.com/minio/minio/releases/tag/release.2023-03-20t20-16-18z" }, { "trust": 2.4, "url": "https://github.com/minio/minio/security/advisories/ghsa-6xvq-wj2x-3h3q" }, { "trust": 2.4, "url": "https://twitter.com/andrew___morris/status/1639325397241278464" }, { "trust": 2.4, "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "trust": 2.4, "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28432" }, { "trust": 0.8, "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28432/" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28432" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "date": "2023-03-22T21:15:18.257000", "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28432" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "date": "2024-06-27T19:30:51.627000", "db": "NVD", "id": "CVE-2023-28432" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1795" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "information disclosure", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1795" } ], "trust": 0.6 } }
var-202204-0667
Vulnerability from variot
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z
. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount
deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202204-0667", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-04-12t06-55-35z" }, { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2021-12-09t06-19-41z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-12-09t06-19-41z that\u0027s all 2022-04-12t06-55-35z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-04-12t06-55-35z", "versionStartIncluding": "2021-12-09t06-19-41z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-24842" } ] }, "cve": "CVE-2022-24842", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 8.0, "impactScore": 10.0, "integrityImpact": "COMPLETE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "Complete", "baseScore": 9.0, "confidentialityImpact": "Complete", "exploitabilityScore": null, "id": "CVE-2022-24842", "impactScore": null, "integrityImpact": "Complete", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "High", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2022-24842", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-24842", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2022-24842", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202204-3225", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2022-24842", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "VULMON", "id": "CVE-2022-24842" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-24842", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2022-008408", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2022062921", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202204-3225", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2022-24842", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "id": "VAR-202204-0667", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:00.588000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=190450" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 }, { "problemtype": "others (CWE-Other) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-2j69-jjmg-534q" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/14729" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24842" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-24842/" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022062921" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-04-12T00:00:00", "db": "VULMON", "id": "CVE-2022-24842" }, { "date": "2023-07-26T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "date": "2022-04-12T18:15:09.690000", "db": "NVD", "id": "CVE-2022-24842" }, { "date": "2022-04-12T00:00:00", "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-04-23T00:00:00", "db": "VULMON", "id": "CVE-2022-24842" }, { "date": "2023-07-26T08:26:00", "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "date": "2023-07-06T13:51:44.233000", "db": "NVD", "id": "CVE-2022-24842" }, { "date": "2023-07-07T00:00:00", "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ], "trust": 0.6 } }
var-202303-1729
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \
character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject
in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1729", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2023-03-20t20-16-18z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28433" } ] }, "cve": "CVE-2023-28433", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28433", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28433", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28433", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1793", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "VULMON", "id": "CVE-2023-28433" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28433", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005842", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1793", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28433", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "id": "VAR-202303-1729", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:41:34.735000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230917" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-w23q-4hw3-2pp6" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "trust": 2.5, "url": "https://github.com/minio/minio/releases/tag/release.2023-03-20t20-16-18z" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28433" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28433/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/668.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28433" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "date": "2023-03-22T21:15:18.340000", "db": "NVD", "id": "CVE-2023-28433" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28433" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "date": "2023-03-28T16:25:36.637000", "db": "NVD", "id": "CVE-2023-28433" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ], "trust": 0.6 } }
var-201806-0819
Vulnerability from variot
Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201806-0819", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2018-05-16t23-35-33z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2018-05-16t23-35-33z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-19t19-22-06z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-04t05-20-54z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-12t23-41-09z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-19t22-54-58z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-10t00-00-42z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-30t00-38-44z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-28t23-45-53z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-11t00-29-24z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-27t23-33-52z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-04t23-13-12z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2018-05-16t23-35-33z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2018-1000538" } ] }, "cve": "CVE-2018-1000538", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2018-1000538", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2018-1000538", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2018-1000538", "trust": 1.8, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-201806-1260", "trust": 0.6, "value": "MEDIUM" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7", "sources": [ { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "JVNDB", "id": "JVNDB-2018-006998" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2018-1000538", "trust": 2.4 }, { "db": "JVNDB", "id": "JVNDB-2018-006998", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-201806-1260", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "id": "VAR-201806-0819", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:36:44.963000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "security: fix write-to-RAM DoS vulnerability (#5957)", "trust": 0.8, "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bl220" }, { "title": "Minio S3 server Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81537" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-774", "trust": 1.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.6, "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bl220" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/5957" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1000538" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000538" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2018-09-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "date": "2018-06-26T16:29:02.133000", "db": "NVD", "id": "CVE-2018-1000538" }, { "date": "2018-06-26T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2018-09-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "date": "2018-08-23T16:38:01.727000", "db": "NVD", "id": "CVE-2018-1000538" }, { "date": "2018-06-28T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-1260" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio Inc. Minio S3 Vulnerability in server descriptors or unrestricted file descriptor or handle allocation", "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "lack of information", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-1260" } ], "trust": 0.6 } }
var-202103-0649
Vulnerability from variot
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS. MinIO Contains a vulnerability related to improper enforcement of the integrity of messages being sent on a communication channel.Information may be tampered with
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0649", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-03-17t02-33-02z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-03-17t02-33-02z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-03-17t02-33-02z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-21390" } ] }, "cve": "CVE-2021-21390", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Medium", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.3, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21390", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.2, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.8, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "High", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.9, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21390", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-21390", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21390", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202103-1206", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-21390", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS. MinIO Contains a vulnerability related to improper enforcement of the integrity of messages being sent on a communication channel.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "VULMON", "id": "CVE-2021-21390" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21390", "trust": 2.5 }, { "db": "JVNDB", "id": "JVNDB-2021-004964", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202103-1206", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21390", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "id": "VAR-202103-0649", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:29.089000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Chunked\u00a0body\u00a0signature\u00a0check\u00a0not\u00a0always\u00a0applied", "trust": 0.8, "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "title": "Minio MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=144642" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2021-21390 log" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-924", "trust": 1.0 }, { "problemtype": "Improper enforcement of the integrity of the message being sent on the communication channel (CWE-924) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11801" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-xr7r-7gpj-5pgp" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21390" }, { "trust": 0.2, "url": "https://cwe.mitre.org/data/definitions/924.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198457" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-19T00:00:00", "db": "VULMON", "id": "CVE-2021-21390" }, { "date": "2021-12-02T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "date": "2021-03-19T16:15:12.920000", "db": "NVD", "id": "CVE-2021-21390" }, { "date": "2021-03-19T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-25T00:00:00", "db": "VULMON", "id": "CVE-2021-21390" }, { "date": "2021-12-02T09:08:00", "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "date": "2021-03-25T20:29:34.060000", "db": "NVD", "id": "CVE-2021-21390" }, { "date": "2021-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-1206" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Vulnerability in improper enforcement of message integrity being sent on a communication channel in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-1206" } ], "trust": 0.6 } }
var-202401-1568
Vulnerability from variot
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:*
actions, but also admin:*
actions. Which means unless somewhere above in the access-key hierarchy, the admin
rights are denied, access keys will be able to simply override their own s3
permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. Minio Inc. of Minio Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202401-1568", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "eq", "trust": 1.8, "vendor": "minio", "version": "2024-01-31t20-20-33z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "cve": "CVE-2024-24747", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2024-24747", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2024-24747", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2024-24747", "trust": 1.0, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. Minio Inc. of Minio Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "VULMON", "id": "CVE-2024-24747" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2024-24747", "trust": 2.7 }, { "db": "JVNDB", "id": "JVNDB-2024-002452", "trust": 0.8 }, { "db": "VULMON", "id": "CVE-2024-24747", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "id": "VAR-202401-1568", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-02-15T23:13:44.206000Z", "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-269", "trust": 1.0 }, { "problemtype": "Improper authority management (CWE-269) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.9, "url": "https://github.com/minio/minio/security/advisories/ghsa-xx8w-mq23-29g4" }, { "trust": 1.9, "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "trust": 1.9, "url": "https://github.com/minio/minio/releases/tag/release.2024-01-31t20-20-33z" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2024-24747" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-01-31T00:00:00", "db": "VULMON", "id": "CVE-2024-24747" }, { "date": "2024-02-14T00:00:00", "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "date": "2024-01-31T22:15:54.813000", "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-02-01T00:00:00", "db": "VULMON", "id": "CVE-2024-24747" }, { "date": "2024-02-14T06:58:00", "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "date": "2024-02-09T15:18:00.510000", "db": "NVD", "id": "CVE-2024-24747" } ] }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in privilege management in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" } ], "trust": 0.8 } }
var-202102-0960
Vulnerability from variot
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202102-0960", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-01-30t00-20-58z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-01-30t00-20-58z" }, { "model": "minio", "scope": null, "trust": 0.6, "vendor": "minio", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "cve": "CVE-2021-21287", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "nvd@nist.gov", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CVE-2021-21287", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "CNVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CNVD-2021-19696", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.1, "id": "CVE-2021-21287", "impactScore": 4.0, "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "OTHER", "availabilityImpact": "None", "baseScore": 7.7, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "JVNDB-2021-003153", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "Low", "scope": "Changed", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-21287", "trust": 1.0, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21287", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-21287", "trust": 0.8, "value": "High" }, { "author": "CNVD", "id": "CNVD-2021-19696", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202102-009", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-21287", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads", "sources": [ { "db": "NVD", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" } ], "trust": 2.25 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21287", "trust": 3.1 }, { "db": "JVNDB", "id": "JVNDB-2021-003153", "trust": 0.8 }, { "db": "CNVD", "id": "CNVD-2021-19696", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202102-009", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21287", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "id": "VAR-202102-0960", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" } ] }, "last_update_date": "2024-11-23T22:54:54.546000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security\u00a0Bug\u00a0Fix\u00a0Release GitHub", "trust": 0.8, "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "title": "Patch for MinIO cross-site request forgery vulnerability", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/254121" }, { "title": "Minio MinIO Fixes for code issue vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140428" }, { "title": "Arch Linux Advisories: [ASA-202102-10] minio: directory traversal", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202102-10" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-21287 log" }, { "title": "Cloud-Native-Security2", "trust": 0.1, "url": "https://github.com/reni2study/Cloud-Native-Security2 " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-918", "trust": 1.0 }, { "problemtype": "Server-side request forgery (CWE-918) [ Other ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21287" }, { "trust": 1.7, "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11337" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-01-30t00-20-58z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-m4qq-5f7c-693q" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/918.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://security.archlinux.org/asa-202102-10" }, { "trust": 0.1, "url": "https://security.archlinux.org/cve-2021-21287" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-21T00:00:00", "db": "CNVD", "id": "CNVD-2021-19696" }, { "date": "2021-02-01T00:00:00", "db": "VULMON", "id": "CVE-2021-21287" }, { "date": "2021-10-19T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "date": "2021-02-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202102-009" }, { "date": "2021-02-01T18:15:13.890000", "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-21T00:00:00", "db": "CNVD", "id": "CNVD-2021-19696" }, { "date": "2021-02-05T00:00:00", "db": "VULMON", "id": "CVE-2021-21287" }, { "date": "2021-10-19T08:04:00", "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "date": "2021-02-09T00:00:00", "db": "CNNVD", "id": "CNNVD-202102-009" }, { "date": "2024-11-21T05:47:56.277000", "db": "NVD", "id": "CVE-2021-21287" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202102-009" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Server-side Request Forgery Vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-003153" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code problem", "sources": [ { "db": "CNNVD", "id": "CNNVD-202102-009" } ], "trust": 0.6 } }
var-202206-0648
Vulnerability from variot
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients. Minio Inc. of Minio Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202206-0648", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2019-09-25t18-25-51z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-06-02t02-11-04z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2019-09-25t18-25-51z that\u0027s all 2022-06-02t02-11-04z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-06-02t02-11-04z", "versionStartIncluding": "2019-09-25t18-25-51z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-31028" } ] }, "cve": "CVE-2022-31028", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2022-31028", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2022-31028", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-31028", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2022-31028", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202206-636", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients. Minio Inc. of Minio Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "JVNDB", "id": "JVNDB-2022-011042" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-31028", "trust": 3.2 }, { "db": "JVNDB", "id": "JVNDB-2022-011042", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2022060628", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202206-636", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "id": "VAR-202206-0648", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:00:47.036000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Remediation of resource management error vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=196270" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-400", "trust": 1.0 }, { "problemtype": "Resource exhaustion (CWE-400) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "trust": 2.4, "url": "https://github.com/minio/minio/pull/14995" }, { "trust": 2.4, "url": "https://github.com/minio/minio/releases/tag/release.2022-06-03t01-40-53z" }, { "trust": 2.4, "url": "https://github.com/minio/minio/security/advisories/ghsa-qrpr-r3pw-f636" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31028" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-overload-via-unclosed-connections-39307" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060628" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-31028/" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-08-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "date": "2022-06-07T16:15:07.760000", "db": "NVD", "id": "CVE-2022-31028" }, { "date": "2022-06-06T00:00:00", "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-08-18T08:21:00", "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "date": "2022-06-14T14:40:02.617000", "db": "NVD", "id": "CVE-2022-31028" }, { "date": "2022-09-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Resource exhaustion vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "resource management error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ], "trust": 0.6 } }
var-202208-0159
Vulnerability from variot
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for admin:ServerUpdate
can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the admin:ServerUpdate
action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202208-0159", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-07-29t19-40-48z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2022-07-29t19-40-48z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-07-29t19-40-48z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-35919" } ] }, "cve": "CVE-2022-35919", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "exploitabilityScore": 1.2, "impactScore": 1.4, "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "exploitabilityScore": 3.1, "impactScore": 3.7, "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 2.7, "baseSeverity": "Low", "confidentialityImpact": "Low", "exploitabilityScore": null, "id": "CVE-2022-35919", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "High", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-35919", "trust": 1.8, "value": "LOW" }, { "author": "security-advisories@github.com", "id": "CVE-2022-35919", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202208-1987", "trust": 0.6, "value": "LOW" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained", "sources": [ { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "VULMON", "id": "CVE-2022-35919" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-35919", "trust": 3.3 }, { "db": "PACKETSTORM", "id": "175010", "trust": 1.0 }, { "db": "JVNDB", "id": "JVNDB-2022-014251", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202208-1987", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2022-35919", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "id": "VAR-202208-0159", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:32:01.265000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Repair measures for path traversal vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=203876" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-22", "trust": 1.0 }, { "problemtype": "Path traversal (CWE-22) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/15429" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-gr9v-6pcm-rqvg" }, { "trust": 1.0, "url": "http://packetstormsecurity.com/files/175010/minio-2022-07-29t19-40-48z-path-traversal.html" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-35919" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-35919/" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-file-reading-via-admin-serverupdate-39306" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/22.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-01T00:00:00", "db": "VULMON", "id": "CVE-2022-35919" }, { "date": "2023-09-15T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "date": "2022-08-01T22:15:10.280000", "db": "NVD", "id": "CVE-2022-35919" }, { "date": "2022-08-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-02T00:00:00", "db": "VULMON", "id": "CVE-2022-35919" }, { "date": "2023-09-15T08:07:00", "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "date": "2023-10-10T17:15:10.940000", "db": "NVD", "id": "CVE-2022-35919" }, { "date": "2022-09-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Past traversal vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "path traversal", "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ], "trust": 0.6 } }
var-202103-0605
Vulnerability from variot
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with Content-Type: multipart/form-data
as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. MinIO Exists in an authorization vulnerability.Information may be tampered with
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0605", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-03-04t00-53-13z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2021-03-04t00-53-13z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-03-04t00-53-13z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-21362" } ] }, "cve": "CVE-2021-21362", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "exploitabilityScore": 8.0, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21362", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.8, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.1, "impactScore": 4.0, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 6.5, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21362", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-21362", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21362", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202103-562", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-21362", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. MinIO Exists in an authorization vulnerability.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "VULMON", "id": "CVE-2021-21362" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21362", "trust": 2.5 }, { "db": "JVNDB", "id": "JVNDB-2021-004351", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202103-562", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21362", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "id": "VAR-202103-0605", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:42:39.439000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "missing\u00a0user\u00a0policy\u00a0enforcement\u00a0in\u00a0PostPolicyHandler\u00a0(#11682)", "trust": 0.8, "url": "https://github.com/minio/minio/releases/tag/release.2021-03-04t00-53-13z" }, { "title": "MinIO Remediation measures for authorization problem vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=144156" }, { "title": "Arch Linux Advisories: [ASA-202103-5] minio: access restriction bypass", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202103-5" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2021-21362 log" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-863", "trust": 1.0 }, { "problemtype": "Inappropriate authorization (CWE-285) [ Other ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11682" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-03-04t00-53-13z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-hq5j-6r98-9m8v" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21362" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-minio-golang-and-urllib3-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/285.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://security.archlinux.org/asa-202103-5" }, { "trust": 0.1, "url": "https://security.archlinux.org/cve-2021-21362" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-08T00:00:00", "db": "VULMON", "id": "CVE-2021-21362" }, { "date": "2021-11-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "date": "2021-03-08T19:15:13.443000", "db": "NVD", "id": "CVE-2021-21362" }, { "date": "2021-03-08T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-12T00:00:00", "db": "VULMON", "id": "CVE-2021-21362" }, { "date": "2021-11-18T08:52:00", "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "date": "2022-10-21T22:40:12.743000", "db": "NVD", "id": "CVE-2021-21362" }, { "date": "2022-10-24T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-562" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Authorization vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "authorization issue", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-562" } ], "trust": 0.6 } }
var-202111-1069
Vulnerability from variot
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. Minio console There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server from MinIO (Minio) in the United States. The product supports the construction of infrastructure for machine learning, analytics, and application data workloads.
Minio 0.12.2 and earlier versions have an access control error vulnerability. No detailed vulnerability details are currently provided
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202111-1069", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio console", "scope": "lt", "trust": 1.0, "vendor": "min", "version": "0.12.3" }, { "model": "console", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "console", "scope": "lte", "trust": 0.8, "vendor": "minio", "version": "0.12.2 and earlier" }, { "model": "minio", "scope": "lte", "trust": 0.6, "vendor": "minio", "version": "\u003c=0.12.2" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "cve": "CVE-2021-41266", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "id": "CVE-2021-41266", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "CNVD-2021-88205", "impactScore": 8.5, "integrityImpact": "PARTIAL", "severity": "HIGH", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "id": "CVE-2021-41266", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "id": "CVE-2021-41266", "impactScore": 4.7, "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 9.8, "baseSeverity": "Critical", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2021-41266", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-41266", "trust": 1.0, "value": "CRITICAL" }, { "author": "security-advisories@github.com", "id": "CVE-2021-41266", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-41266", "trust": 0.8, "value": "Critical" }, { "author": "CNVD", "id": "CNVD-2021-88205", "trust": 0.6, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202111-1271", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-41266", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. Minio console There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server from MinIO (Minio) in the United States. The product supports the construction of infrastructure for machine learning, analytics, and application data workloads. \n\r\n\r\nMinio 0.12.2 and earlier versions have an access control error vulnerability. No detailed vulnerability details are currently provided", "sources": [ { "db": "NVD", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" } ], "trust": 2.25 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-41266", "trust": 3.9 }, { "db": "JVNDB", "id": "JVNDB-2021-014927", "trust": 0.8 }, { "db": "CNVD", "id": "CNVD-2021-88205", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202111-1271", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-41266", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "id": "VAR-202111-1069", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" } ] }, "last_update_date": "2024-11-23T21:33:29.621000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Fixed\u00a0broken\u00a0oauth2\u00a0login\u00a0for\u00a0operator\u00a0#1217 GitHub", "trust": 0.8, "url": "https://github.com/minio/console/pull/1217" }, { "title": "Patch for Minio access control error vulnerability", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/298151" }, { "title": "Minio Fixes for access control error vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=172335" }, { "title": "", "trust": 0.1, "url": "https://github.com/20142995/Goby " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-306", "trust": 1.0 }, { "problemtype": "Lack of authentication for critical features (CWE-306) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41266" }, { "trust": 1.7, "url": "https://github.com/minio/console/pull/1217" }, { "trust": 1.7, "url": "https://github.com/minio/console/security/advisories/ghsa-4999-659w-mq36" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/306.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://github.com/20142995/goby" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-11-17T00:00:00", "db": "CNVD", "id": "CNVD-2021-88205" }, { "date": "2021-11-15T00:00:00", "db": "VULMON", "id": "CVE-2021-41266" }, { "date": "2022-11-02T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "date": "2021-11-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "date": "2021-11-15T21:15:07.320000", "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-11-17T00:00:00", "db": "CNVD", "id": "CNVD-2021-88205" }, { "date": "2021-11-19T00:00:00", "db": "VULMON", "id": "CVE-2021-41266" }, { "date": "2022-11-02T01:12:00", "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "date": "2021-12-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "date": "2024-11-21T06:25:55.447000", "db": "NVD", "id": "CVE-2021-41266" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio access control error vulnerability", "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 1.2 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "access control error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 0.6 } }
var-202302-1690
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny
policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true
. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202302-1690", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-02-17t17-52-43z" }, { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2020-04-10t03-34-42z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2020-04-10t03-34-42z that\u0027s all 2023-02-17t17-52-43z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-02-17t17-52-43z", "versionStartIncluding": "2020-04-10t03-34-42z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-25812" } ] }, "cve": "CVE-2023-25812", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 2.5, "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-25812", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-25812", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-25812", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202302-1719", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "VULMON", "id": "CVE-2023-25812" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-25812", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-004685", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202302-1719", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-25812", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "id": "VAR-202302-1690", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:25:29.586000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=228040" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-c8fc-mjj8-fc63" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16635" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25812" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-25812/" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-02-21T00:00:00", "db": "VULMON", "id": "CVE-2023-25812" }, { "date": "2023-11-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "date": "2023-02-21T21:15:11.507000", "db": "NVD", "id": "CVE-2023-25812" }, { "date": "2023-02-21T00:00:00", "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-02-22T00:00:00", "db": "VULMON", "id": "CVE-2023-25812" }, { "date": "2023-11-01T04:47:00", "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "date": "2023-11-07T04:09:12.860000", "db": "NVD", "id": "CVE-2023-25812" }, { "date": "2023-03-08T00:00:00", "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ], "trust": 0.6 } }
var-202303-0929
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin
permissions can potentially create a user that matches the root credential accessKey
. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via mc admin policy set
. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is tampered with and service operation is interrupted (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-0929", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2020-12-23t02-24-12z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-13t19-46-17z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2020-12-23t02-24-12z that\u0027s all 2023-03-13t19-46-17z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-13t19-46-17z", "versionStartIncluding": "2020-12-23t02-24-12z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-27589" } ] }, "cve": "CVE-2023-27589", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 1.2, "impactScore": 5.2, "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 6.5, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2023-27589", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "High", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-27589", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2023-27589", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202303-1092", "trust": 0.6, "value": "MEDIUM" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is tampered with and service operation is interrupted (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "VULMON", "id": "CVE-2023-27589" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-27589", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005403", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1092", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-27589", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "id": "VAR-202303-0929", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:48:11.973000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=229736" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16803" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-9wfv-wmf7-6753" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27589" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-27589/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-14T00:00:00", "db": "VULMON", "id": "CVE-2023-27589" }, { "date": "2023-11-08T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "date": "2023-03-14T19:15:10.547000", "db": "NVD", "id": "CVE-2023-27589" }, { "date": "2023-03-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-15T00:00:00", "db": "VULMON", "id": "CVE-2023-27589" }, { "date": "2023-11-08T03:19:00", "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "date": "2023-03-21T14:16:35.477000", "db": "NVD", "id": "CVE-2023-27589" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ], "trust": 0.6 } }
var-202112-1852
Vulnerability from variot
MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z
, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z
changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny
rule to disable the API for users. MinIO Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server of MinIO (Minio) company in the United States. The product supports building infrastructure for machine learning, analytics, and application data workloads. Patch with version number RELEASE. No detailed vulnerability details are currently available. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes Advisory ID: RHSA-2022:0735-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:0735 Issue date: 2022-03-03 CVE Names: CVE-2021-3521 CVE-2021-3712 CVE-2021-3807 CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 CVE-2021-22963 CVE-2021-41089 CVE-2021-41091 CVE-2021-42574 CVE-2021-43565 CVE-2021-43816 CVE-2021-43858 CVE-2022-0185 CVE-2022-0235 CVE-2022-24407 CVE-2022-24450 =====================================================================
- Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.4.2 General Availability release images. This update provides security fixes, fixes bugs, and updates the container images.
Red Hat Product Security has rated this update as having a security impact of Important.
- Description:
Red Hat Advanced Cluster Management for Kubernetes 2.4.2 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
Red Hat Product Security has rated this update as having a security impact of Important.
This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/
Security updates:
-
nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
-
containerd: Unprivileged pod may bind mount any privileged regular file on disk (CVE-2021-43816)
-
minio-go: user privilege escalation in AddUser() admin API (CVE-2021-43858)
-
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
-
fastify-static: open redirect via an URL with double slash followed by a domain (CVE-2021-22963)
-
moby:
docker cp
allows unexpected chmod of host file (CVE-2021-41089) -
moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal (CVE-2021-41091)
-
golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
-
node-fetch: Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)
-
nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450)
Bug fixes:
-
Trying to create a new cluster on vSphere and no feedback, stuck in "creating" (Bugzilla #1937078)
-
The hyperlink of *ks cluster node cannot be opened when I want to check the node (Bugzilla #2028100)
-
Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196)
-
RHACM cannot deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) (Bugzilla #2028931)
-
RHACM 2.4.2 images (Bugzilla #2029506)
-
Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 (Bugzilla #2030005)
-
Namespace left orphaned after destroying the cluster (Bugzilla #2030379)
-
The results filtered through the filter contain some data that should not be present in cluster page (Bugzilla #2034198)
-
Git over ssh doesn't use custom port set in url (Bugzilla #2036057)
-
The value of name label changed from clusterclaim name to cluster name (Bugzilla #2042223)
-
ACM configuration policies do not handle Limitrange or Quotas values (Bugzilla #2042545)
-
Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 (Bugzilla #2050847)
-
The azure government regions were not list in the region drop down list when creating the cluster (Bugzilla #2051797)
-
Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing
- Bugs fixed (https://bugzilla.redhat.com/):
2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown:
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2008592 - CVE-2021-41089 moby: docker cp
allows unexpected chmod of host file
2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when
2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain
2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node
2028196 - Unable to make SSH connection to a Bitbucket server
2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1)
2029506 - RHACM 2.4.2 images
2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0
2030379 - Namespace left orphaned after destroying the cluster
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2032957 - Missing AWX templates in ACM
2034198 - The results filtered through the filter contain some data that should not be present in cluster page
2036057 - git over ssh doesn't use custom port set in url
2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API
2039378 - Deploying CRD via Application does not update status in ACM console
2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool
2042545 - ACM configuration policies do not handle Limitrange or Quotas values
2043519 - "apps.open-cluster-management.io/git-branch" annotation should be mandatory
2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6
2051797 - the azure government regions were not list in the region drop down list when create the cluster
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account
- References:
https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3872 https://access.redhat.com/security/cve/CVE-2021-3918 https://access.redhat.com/security/cve/CVE-2021-3984 https://access.redhat.com/security/cve/CVE-2021-4019 https://access.redhat.com/security/cve/CVE-2021-4034 https://access.redhat.com/security/cve/CVE-2021-4122 https://access.redhat.com/security/cve/CVE-2021-4155 https://access.redhat.com/security/cve/CVE-2021-4192 https://access.redhat.com/security/cve/CVE-2021-4193 https://access.redhat.com/security/cve/CVE-2021-22963 https://access.redhat.com/security/cve/CVE-2021-41089 https://access.redhat.com/security/cve/CVE-2021-41091 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-43816 https://access.redhat.com/security/cve/CVE-2021-43858 https://access.redhat.com/security/cve/CVE-2022-0185 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24450 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYiE9otzjgjWX9erEAQi0Ew/9EGNefP8TLEdc6Vq3zNtj01fnV0K4Crgi sgKVOx1PYO+xFfdJKXwN/dg4kCMZ5kXPzf+6BNudmEIjDxvl7/khvWnXfgXXX5Ml 7/7vAzSkHETk63ZS8WJuXKXrfs56jEnNVpi86DgsjYcPocXmKk93OST0UlBV+Qec QjepL6X/khbKb3nCFBgSmejW2XWmqUNZ/XFOmrUtxxMyJ1PJTKmmpSIwWNy0uz9M vIECOhYPR9cOzF8NNQ5rby4/s7NyHnxLTWJcoUCNjCpJc7o7AswbQHjceLU3gX+b wkqNt7t7cEiBMvOdhRKWOyjVZ7hI8CbplRdJga52NsqhZtVMGXatK06DtTlPp4E4 RUo+gO2ipbld2KlFydBF/Rohm4xls9yzYt6uGaxH+HW75hLJLNyDPYitZptvuWAT BJFVTguNuLw9M8dk7vnbGCHZGJSz0GAKW53kx7SGe4DFcFpUtfUPua1ZLdAyuz9y ajYfbvvr4G34hxl6H/ovFzd5ydrSZpOtP43jWSBiySYRe5oOCWupp5vt3TwJOWsT ac6t4q350GEcUNRin99AGVv7Ch1Herrs+oVl4wd4jmtpHe35q2sOW4HlFhEOfsqa Gy4qDhuSxvfie0ONHVAQylj7XsRdLfClRhWCT0YmZyXcZlbELom99aDapDO8Hioa eqF6R05B/GE= =IaEk -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . (BZ# 2033339)
-
Restore/backup shows up as Validation failed but the restore backup status in ACM shows success (BZ# 2034279)
-
Observability - OCP 311 node role are not displayed completely (BZ# 2038650)
-
Documented uninstall procedure leaves many leftovers (BZ# 2041921)
-
infrastructure-operator pod crashes due to insufficient privileges in ACM 2.5 (BZ# 2046554)
-
Acm failed to install due to some missing CRDs in operator (BZ# 2047463)
-
Navigation icons no longer showing in ACM 2.5 (BZ# 2051298)
-
ACM home page now includes /home/ in url (BZ# 2051299)
-
proxy heading in Add Credential should be capitalized (BZ# 2051349)
-
ACM 2.5 tries to create new MCE instance when install on top of existing MCE 2.0 (BZ# 2051983)
-
Create Policy button does not work and user cannot use console to create policy (BZ# 2053264)
-
No cluster information was displayed after a policyset was created (BZ# 2053366)
-
Dynamic plugin update does not take effect in Firefox (BZ# 2053516)
-
Replicated policy should not be available when creating a Policy Set (BZ# 2054431)
-
Placement section in Policy Set wizard does not reset when users click "Back" to re-configured placement (BZ# 2054433)
-
Bugs fixed (https://bugzilla.redhat.com/):
2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2028224 - RHACM 2.5.0 images
2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?)
2028647 - Clusters are in 'Degraded' status with upgrade env due to obs-controller not working properly
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2033339 - create cluster pool -> choose infra type , As a result infra providers disappear from UI.
2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub
2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO
2073355 - Get blank page when click policy with unknown status in Governance -> Overview page
2073508 - Thread responsible to get insights data from ks clusters is broken
2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters
2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology
2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin
2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of "resource conflict" error
2074178 - Editing Helm Argo Applications does not Prune Old Resources
2074626 - Policy placement failure during ZTP SNO scale test
2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store
2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal
2074937 - UI allows creating cluster even when there are no ClusterImageSets
2075416 - infraEnv failed to create image after restore
2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod
2075739 - The lookup function won't check the referred resource whether exist when using template policies
2076421 - Can't select existing placement for policy or policyset when editing policy or policyset
2076494 - No policyreport CR for spoke clusters generated in the disconnected env
2076502 - The policyset card doesn't show the cluster status(violation/without violation) again after deleted one policy
2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator
2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster
2077291 - Prometheus doesn't display acm_managed_cluster_info after upgrade from 2.4 to 2.5
2077304 - Create Cluster button is disabled only if other clusters exist
2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5
2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI
2077751 - Can't create a template policy from UI when the object's name is referring Golang text template syntax in this policy
2077783 - Still show violation for clusterserviceversions after enforced "Detect Image vulnerabilities " policy template and the operator is installed
2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set
2078164 - Failed to edit a policy without placement
2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement
2078373 - Disable the hyperlink of ks node in standalone MCE environment since the search component was not exists
2078617 - Azure public credential details get pre-populated with base domain name in UI
2078952 - View pod logs in search details returns error
2078973 - Crashed pod is marked with success in Topology
2079013 - Changing existing placement rules does not change YAML file
2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM
2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on
2079494 - Hitting Enter in yaml editor caused unexpected keys "key00x:" to be created
2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5
2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page
2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted
2079615 - Edit appset placement in UI with a new placement throws error upon submitting
2079658 - Cluster Count is Incorrect in Application UI
2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower
2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters
2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role
2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
2080503 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes
2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page
2080712 - Select an existing placement configuration does not work
2080776 - Unrecognized characters are displayed on policy and policy set yaml editors
2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster
2081810 - Type '-' character in Name field caused previously typed character backspaced in in the name field of policy wizard
2081829 - Application deployed on local cluster's topology is crashing after upgrade
2081938 - The deleted policy still be shown on the policyset review page when edit this policy set
2082226 - Object Storage Topology includes residue of resources after Upgrade
2082409 - Policy set details panel remains even after the policy set has been deleted
2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets
2083038 - Warning still refers to the klusterlet-addon-appmgr
pod rather than the application-manager
pod
2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated
2083434 - The provider-credential-controller did not support the RHV credentials type
2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace
2083870 - When editing an existing application and refreshing the Select an existing placement configuration
, multiple occurrences of the placementrule gets displayed
2084034 - The status message looks messy in the policy set card, suggest one kind status one a row
2084158 - Support provisioning bm cluster where no provisioning network provided
2084622 - Local Helm application shows cluster resources as Not Deployed
in Topology [Upgrade]
2085083 - Policies fail to copy to cluster namespace after ACM upgrade
2085237 - Resources referenced by a channel are not annotated with backup label
2085273 - Error querying for ansible job in app topology
2085281 - Template name error is reported but the template name was found in a different replicated policy
2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page
2087515 - Validation thrown out in configuration for disconnect install while creating bm credential
2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade]
2088511 - Some cluster resources are not showing labels that are defined in the YAML
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202112-1852", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-12-27t07-23-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2021-12-27t07-23-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "\u003c2021-12-27t07-23-18z", "scope": null, "trust": 0.6, "vendor": "minio", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" } ], "trust": 0.2 }, "cve": "CVE-2021-43858", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CVE-2021-43858", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CNVD-2022-08921", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "id": "CVE-2021-43858", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "OTHER", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "JVNDB-2021-017335", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-43858", "trust": 1.0, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-43858", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-43858", "trust": 0.8, "value": "High" }, { "author": "CNVD", "id": "CNVD-2022-08921", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202112-2635", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-43858", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. MinIO Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server of MinIO (Minio) company in the United States. The product supports building infrastructure for machine learning, analytics, and application data workloads. Patch with version number RELEASE. No detailed vulnerability details are currently available. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes\nAdvisory ID: RHSA-2022:0735-01\nProduct: Red Hat ACM\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:0735\nIssue date: 2022-03-03\nCVE Names: CVE-2021-3521 CVE-2021-3712 CVE-2021-3807 \n CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 \n CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 \n CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 \n CVE-2021-22963 CVE-2021-41089 CVE-2021-41091 \n CVE-2021-42574 CVE-2021-43565 CVE-2021-43816 \n CVE-2021-43858 CVE-2022-0185 CVE-2022-0235 \n CVE-2022-24407 CVE-2022-24450 \n=====================================================================\n\n1. Summary:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.2 General\nAvailability\nrelease images. This update provides security fixes, fixes bugs, and\nupdates the container images. \n\nRed Hat Product Security has rated this update as having a security impact\nof\nImportant. \n\n2. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.2 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. \n\nThis advisory contains the container images for Red Hat Advanced Cluster\nManagement for Kubernetes, which provide some security fixes and bug fixes. \nSee the following Release Notes documentation, which will be updated\nshortly for this release, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/\n\nSecurity updates:\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* containerd: Unprivileged pod may bind mount any privileged regular file\non disk (CVE-2021-43816)\n\n* minio-go: user privilege escalation in AddUser() admin API\n(CVE-2021-43858)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching\nANSI escape codes (CVE-2021-3807)\n\n* fastify-static: open redirect via an URL with double slash followed by a\ndomain (CVE-2021-22963)\n\n* moby: `docker cp` allows unexpected chmod of host file (CVE-2021-41089)\n\n* moby: data directory contains subdirectories with insufficiently\nrestricted permissions, which could lead to directory traversal\n(CVE-2021-41091)\n\n* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)\n\n* node-fetch: Exposure of Sensitive Information to an Unauthorized Actor\n(CVE-2022-0235)\n\n* nats-server: misusing the \"dynamically provisioned sandbox accounts\"\nfeature authenticated user can obtain the privileges of the System account\n(CVE-2022-24450)\n\nBug fixes:\n\n* Trying to create a new cluster on vSphere and no feedback, stuck in\n\"creating\" (Bugzilla #1937078)\n\n* The hyperlink of *ks cluster node cannot be opened when I want to check\nthe node (Bugzilla #2028100)\n\n* Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196)\n\n* RHACM cannot deploy Helm Charts with version numbers starting with\nletters (e.g. v1.6.1) (Bugzilla #2028931)\n\n* RHACM 2.4.2 images (Bugzilla #2029506)\n\n* Git Application still appears in Application Table and Resources are\nStill Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0\n(Bugzilla #2030005)\n\n* Namespace left orphaned after destroying the cluster (Bugzilla #2030379)\n\n* The results filtered through the filter contain some data that should not\nbe present in cluster page (Bugzilla #2034198)\n\n* Git over ssh doesn\u0027t use custom port set in url (Bugzilla #2036057)\n\n* The value of name label changed from clusterclaim name to cluster name\n(Bugzilla #2042223)\n\n* ACM configuration policies do not handle Limitrange or Quotas values\n(Bugzilla #2042545)\n\n* Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6\n(Bugzilla #2050847)\n\n* The azure government regions were not list in the region drop down list\nwhen creating the cluster (Bugzilla #2051797)\n\n3. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown:\n2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes\n2008592 - CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file\n2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when\n2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain\n2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal\n2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability\n2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node\n2028196 - Unable to make SSH connection to a Bitbucket server\n2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1)\n2029506 - RHACM 2.4.2 images\n2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0\n2030379 - Namespace left orphaned after destroying the cluster\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2032957 - Missing AWX templates in ACM\n2034198 - The results filtered through the filter contain some data that should not be present in cluster page\n2036057 - git over ssh doesn\u0027t use custom port set in url\n2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API\n2039378 - Deploying CRD via Application does not update status in ACM console\n2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool\n2042545 - ACM configuration policies do not handle Limitrange or Quotas values\n2043519 - \"apps.open-cluster-management.io/git-branch\" annotation should be mandatory\n2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk\n2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor\n2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6\n2051797 - the azure government regions were not list in the region drop down list when create the cluster\n2052573 - CVE-2022-24450 nats-server: misusing the \"dynamically provisioned sandbox accounts\" feature authenticated user can obtain the privileges of the System account\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3521\nhttps://access.redhat.com/security/cve/CVE-2021-3712\nhttps://access.redhat.com/security/cve/CVE-2021-3807\nhttps://access.redhat.com/security/cve/CVE-2021-3872\nhttps://access.redhat.com/security/cve/CVE-2021-3918\nhttps://access.redhat.com/security/cve/CVE-2021-3984\nhttps://access.redhat.com/security/cve/CVE-2021-4019\nhttps://access.redhat.com/security/cve/CVE-2021-4034\nhttps://access.redhat.com/security/cve/CVE-2021-4122\nhttps://access.redhat.com/security/cve/CVE-2021-4155\nhttps://access.redhat.com/security/cve/CVE-2021-4192\nhttps://access.redhat.com/security/cve/CVE-2021-4193\nhttps://access.redhat.com/security/cve/CVE-2021-22963\nhttps://access.redhat.com/security/cve/CVE-2021-41089\nhttps://access.redhat.com/security/cve/CVE-2021-41091\nhttps://access.redhat.com/security/cve/CVE-2021-42574\nhttps://access.redhat.com/security/cve/CVE-2021-43565\nhttps://access.redhat.com/security/cve/CVE-2021-43816\nhttps://access.redhat.com/security/cve/CVE-2021-43858\nhttps://access.redhat.com/security/cve/CVE-2022-0185\nhttps://access.redhat.com/security/cve/CVE-2022-0235\nhttps://access.redhat.com/security/cve/CVE-2022-24407\nhttps://access.redhat.com/security/cve/CVE-2022-24450\nhttps://access.redhat.com/security/updates/classification/#important\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYiE9otzjgjWX9erEAQi0Ew/9EGNefP8TLEdc6Vq3zNtj01fnV0K4Crgi\nsgKVOx1PYO+xFfdJKXwN/dg4kCMZ5kXPzf+6BNudmEIjDxvl7/khvWnXfgXXX5Ml\n7/7vAzSkHETk63ZS8WJuXKXrfs56jEnNVpi86DgsjYcPocXmKk93OST0UlBV+Qec\nQjepL6X/khbKb3nCFBgSmejW2XWmqUNZ/XFOmrUtxxMyJ1PJTKmmpSIwWNy0uz9M\nvIECOhYPR9cOzF8NNQ5rby4/s7NyHnxLTWJcoUCNjCpJc7o7AswbQHjceLU3gX+b\nwkqNt7t7cEiBMvOdhRKWOyjVZ7hI8CbplRdJga52NsqhZtVMGXatK06DtTlPp4E4\nRUo+gO2ipbld2KlFydBF/Rohm4xls9yzYt6uGaxH+HW75hLJLNyDPYitZptvuWAT\nBJFVTguNuLw9M8dk7vnbGCHZGJSz0GAKW53kx7SGe4DFcFpUtfUPua1ZLdAyuz9y\najYfbvvr4G34hxl6H/ovFzd5ydrSZpOtP43jWSBiySYRe5oOCWupp5vt3TwJOWsT\nac6t4q350GEcUNRin99AGVv7Ch1Herrs+oVl4wd4jmtpHe35q2sOW4HlFhEOfsqa\nGy4qDhuSxvfie0ONHVAQylj7XsRdLfClRhWCT0YmZyXcZlbELom99aDapDO8Hioa\neqF6R05B/GE=\n=IaEk\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. (BZ# 2033339)\n\n* Restore/backup shows up as Validation failed but the restore backup\nstatus in ACM shows success (BZ# 2034279)\n\n* Observability - OCP 311 node role are not displayed completely (BZ#\n2038650)\n\n* Documented uninstall procedure leaves many leftovers (BZ# 2041921)\n\n* infrastructure-operator pod crashes due to insufficient privileges in ACM\n2.5 (BZ# 2046554)\n\n* Acm failed to install due to some missing CRDs in operator (BZ# 2047463)\n\n* Navigation icons no longer showing in ACM 2.5 (BZ# 2051298)\n\n* ACM home page now includes /home/ in url (BZ# 2051299)\n\n* proxy heading in Add Credential should be capitalized (BZ# 2051349)\n\n* ACM 2.5 tries to create new MCE instance when install on top of existing\nMCE 2.0 (BZ# 2051983)\n\n* Create Policy button does not work and user cannot use console to create\npolicy (BZ# 2053264)\n\n* No cluster information was displayed after a policyset was created (BZ#\n2053366)\n\n* Dynamic plugin update does not take effect in Firefox (BZ# 2053516)\n\n* Replicated policy should not be available when creating a Policy Set (BZ#\n2054431)\n\n* Placement section in Policy Set wizard does not reset when users click\n\"Back\" to re-configured placement (BZ# 2054433)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target\n2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability\n2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion\n2028224 - RHACM 2.5.0 images\n2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?)\n2028647 - Clusters are in \u0027Degraded\u0027 status with upgrade env due to obs-controller not working properly\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2033339 - create cluster pool -\u003e choose infra type , As a result infra providers disappear from UI. \n2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub\n2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO\n2073355 - Get blank page when click policy with unknown status in Governance -\u003e Overview page\n2073508 - Thread responsible to get insights data from *ks clusters is broken\n2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters\n2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology\n2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin\n2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of \"resource conflict\" error\n2074178 - Editing Helm Argo Applications does not Prune Old Resources\n2074626 - Policy placement failure during ZTP SNO scale test\n2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store\n2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal\n2074937 - UI allows creating cluster even when there are no ClusterImageSets\n2075416 - infraEnv failed to create image after restore\n2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod\n2075739 - The lookup function won\u0027t check the referred resource whether exist when using template policies\n2076421 - Can\u0027t select existing placement for policy or policyset when editing policy or policyset\n2076494 - No policyreport CR for spoke clusters generated in the disconnected env\n2076502 - The policyset card doesn\u0027t show the cluster status(violation/without violation) again after deleted one policy\n2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator\n2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster\n2077291 - Prometheus doesn\u0027t display acm_managed_cluster_info after upgrade from 2.4 to 2.5\n2077304 - Create Cluster button is disabled only if other clusters exist\n2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5\n2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI\n2077751 - Can\u0027t create a template policy from UI when the object\u0027s name is referring Golang text template syntax in this policy\n2077783 - Still show violation for clusterserviceversions after enforced \"Detect Image vulnerabilities \" policy template and the operator is installed\n2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set\n2078164 - Failed to edit a policy without placement\n2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement\n2078373 - Disable the hyperlink of *ks node in standalone MCE environment since the search component was not exists\n2078617 - Azure public credential details get pre-populated with base domain name in UI\n2078952 - View pod logs in search details returns error\n2078973 - Crashed pod is marked with success in Topology\n2079013 - Changing existing placement rules does not change YAML file\n2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM\n2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on\n2079494 - Hitting Enter in yaml editor caused unexpected keys \"key00x:\" to be created\n2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5\n2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page\n2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted\n2079615 - Edit appset placement in UI with a new placement throws error upon submitting\n2079658 - Cluster Count is Incorrect in Application UI\n2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower\n2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters\n2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role\n2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses\n2080503 - vSphere network name doesn\u0027t allow entering spaces and doesn\u0027t reflect YAML changes\n2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page\n2080712 - Select an existing placement configuration does not work\n2080776 - Unrecognized characters are displayed on policy and policy set yaml editors\n2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster\n2081810 - Type \u0027-\u0027 character in Name field caused previously typed character backspaced in in the name field of policy wizard\n2081829 - Application deployed on local cluster\u0027s topology is crashing after upgrade\n2081938 - The deleted policy still be shown on the policyset review page when edit this policy set\n2082226 - Object Storage Topology includes residue of resources after Upgrade\n2082409 - Policy set details panel remains even after the policy set has been deleted\n2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets\n2083038 - Warning still refers to the `klusterlet-addon-appmgr` pod rather than the `application-manager` pod\n2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated\n2083434 - The provider-credential-controller did not support the RHV credentials type\n2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace\n2083870 - When editing an existing application and refreshing the `Select an existing placement configuration`, multiple occurrences of the placementrule gets displayed\n2084034 - The status message looks messy in the policy set card, suggest one kind status one a row\n2084158 - Support provisioning bm cluster where no provisioning network provided\n2084622 - Local Helm application shows cluster resources as `Not Deployed` in Topology [Upgrade]\n2085083 - Policies fail to copy to cluster namespace after ACM upgrade\n2085237 - Resources referenced by a channel are not annotated with backup label\n2085273 - Error querying for ansible job in app topology\n2085281 - Template name error is reported but the template name was found in a different replicated policy\n2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page\n2087515 - Validation thrown out in configuration for disconnect install while creating bm credential\n2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade]\n2088511 - Some cluster resources are not showing labels that are defined in the YAML\n\n5", "sources": [ { "db": "NVD", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-43858", "trust": 4.1 }, { "db": "JVNDB", "id": "JVNDB-2021-017335", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "166199", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2022-08921", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0903", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.2855", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202112-2635", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-43858", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "167459", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "id": "VAR-202112-1852", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" } ], "trust": 1.6 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" } ] }, "last_update_date": "2024-11-23T20:34:00.465000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security\u00a0Bugfix\u00a0Release GitHub", "trust": 0.8, "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "title": "Patch for Unknown Vulnerability in Minio MinIO", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/318121" }, { "title": "Minio MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176258" }, { "title": "Red Hat: CVE-2021-43858", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-43858" }, { "title": "Red Hat: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220735 - Security Advisory" }, { "title": "Red Hat: Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224956 - Security Advisory" }, { "title": "cve-2021-43858", "trust": 0.1, "url": "https://github.com/morhax/cve-2021-43858 " }, { "title": "", "trust": 0.1, "url": "https://github.com/soosmile/POC " }, { "title": "", "trust": 0.1, "url": "https://github.com/SYRTI/POC_to_review " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-863", "trust": 1.0 }, { "problemtype": "CWE-269", "trust": 1.0 }, { "problemtype": "Illegal authentication (CWE-863) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.3, "url": "https://github.com/minio/minio/pull/13976" }, { "trust": 1.7, "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-12-27t07-23-18z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-j6jc-jqqc-p6cx" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/7949" }, { "trust": 1.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43858" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.2855" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-privilege-escalation-via-http-api-call-updating-policy-37422" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0903" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/166199/red-hat-security-advisory-2022-0735-01.html" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2021-43858" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3918" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-43565" }, { "trust": 0.2, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-43816" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3918" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-24450" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-0235" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/863.html" }, { "trust": 0.1, "url": "https://github.com/morhax/cve-2021-43858" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3872" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3521" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4034" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4034" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4019" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4155" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4122" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3872" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4192" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0235" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3712" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22963" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3984" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22963" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3984" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4193" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24407" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24450" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0185" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3807" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43565" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-42574" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0185" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4155" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41091" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4193" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42574" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41089" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41089" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41091" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3807" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43816" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4192" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0735" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3712" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4019" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24407" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3521" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3752" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4157" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3669" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3744" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13974" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-45485" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3773" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4002" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-29154" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43976" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-0941" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43389" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3634" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27820" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4189" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-44733" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3752" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21781" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3634" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3772" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-19131" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3773" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4037" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29154" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-37159" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-4788" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3772" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-0404" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3669" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3764" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-20322" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3743" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43056" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3612" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3764" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37159" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41864" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-27191" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4197" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-0941" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3612" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-26401" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21803" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24778" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-27820" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3743" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3737" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1011" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13974" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20322" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4083" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-45486" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0322" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-4788" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3737" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-26401" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4157" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0286" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0001" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41190" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3759" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4083" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24785" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23806" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41190" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3759" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4037" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-29810" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4002" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-21781" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0002" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4203" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3744" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:4956" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-19131" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0778" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42739" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-0404" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-09T00:00:00", "db": "CNVD", "id": "CNVD-2022-08921" }, { "date": "2021-12-27T00:00:00", "db": "VULMON", "id": "CVE-2021-43858" }, { "date": "2023-01-17T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "date": "2022-03-04T16:03:16", "db": "PACKETSTORM", "id": "166199" }, { "date": "2022-06-09T16:11:52", "db": "PACKETSTORM", "id": "167459" }, { "date": "2021-12-27T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "date": "2021-12-27T22:15:07.703000", "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-09T00:00:00", "db": "CNVD", "id": "CNVD-2022-08921" }, { "date": "2022-08-09T00:00:00", "db": "VULMON", "id": "CVE-2021-43858" }, { "date": "2023-01-17T02:37:00", "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "date": "2022-08-10T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "date": "2024-11-21T06:29:56.750000", "db": "NVD", "id": "CVE-2021-43858" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-2635" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Fraud related to unauthorized authentication in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-017335" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-2635" } ], "trust": 0.6 } }
var-202110-0560
Vulnerability from variot
Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z
are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z
. A downgrade back to release RELEASE.2021-10-08T23-58-24Z
is available as a workaround.
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202110-0560", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "eq", "trust": 1.0, "vendor": "minio", "version": "2021-10-10t16-53-30z" } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "cve": "CVE-2021-41137", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-41137", "trust": 1.0, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-41137", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202110-973", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.", "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ], "trust": 1.0 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-41137", "trust": 1.6 }, { "db": "CNNVD", "id": "CNNVD-202110-973", "trust": 0.6 } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "id": "VAR-202110-0560", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:12:22.924000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Minio Remediation measures for authorization problem vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=165635" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.6, "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/13388" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/13422" }, { "trust": 1.6, "url": "https://github.com/minio/minio/security/advisories/ghsa-v64v-g97p-577c" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41137" } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-10-13T14:15:07.827000", "db": "NVD", "id": "CVE-2021-41137" }, { "date": "2021-10-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-12T16:29:57.947000", "db": "NVD", "id": "CVE-2021-41137" }, { "date": "2022-08-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO Security hole", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 } }
var-202004-2185
Vulnerability from variot
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202004-2185", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2020-04-23t00-58-49z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2020-04-23t00-58-49z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2020-04-23t00-58-49z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2020-11012" } ] }, "cve": "CVE-2020-11012", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-004949", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "exploitabilityScore": 3.9, "impactScore": 4.7, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-004949", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2020-11012", "trust": 1.0, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2020-11012", "trust": 1.0, "value": "CRITICAL" }, { "author": "NVD", "id": "JVNDB-2020-004949", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-202004-2042", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "JVNDB", "id": "JVNDB-2020-004949" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2020-11012", "trust": 2.4 }, { "db": "JVNDB", "id": "JVNDB-2020-004949", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202004-2042", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "id": "VAR-202004-2185", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:49.133000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Top Page", "trust": 0.8, "url": "https://min.io/" }, { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-755", "trust": 1.0 }, { "problemtype": "CWE-287", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/9422" }, { "trust": 1.6, "url": "https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z" }, { "trust": 1.6, "url": "https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012\\" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-06-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "date": "2020-04-23T22:15:12.833000", "db": "NVD", "id": "CVE-2020-11012" }, { "date": "2020-04-23T00:00:00", "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-06-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "date": "2021-10-26T20:02:15.260000", "db": "NVD", "id": "CVE-2020-11012" }, { "date": "2021-10-27T00:00:00", "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202004-2042" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO Authentication vulnerabilities in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "authorization issue", "sources": [ { "db": "CNNVD", "id": "CNNVD-202004-2042" } ], "trust": 0.6 } }
cve-2022-24842
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/14729 | x_refsource_MISC | |
https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:50.468Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/14729" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2022-04-12T06-55-35Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-12T17:20:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/14729" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ], "source": { "advisory": "GHSA-2j69-jjmg-534q", "discovery": "UNKNOWN" }, "title": "Improper Privilege Management in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24842", "STATE": "PUBLIC", "TITLE": "Improper Privilege Management in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2022-04-12T06-55-35Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269: Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "name": "https://github.com/minio/minio/pull/14729", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/14729" }, { "name": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ] }, "source": { "advisory": "GHSA-2j69-jjmg-534q", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24842", "datePublished": "2022-04-12T17:20:18", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.468Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-24747
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 | x_refsource_CONFIRM | |
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z | x_refsource_MISC |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "minio", "vendor": "minio", "versions": [ { "lessThan": "RELEASE.2024-01-31T20-20-33Z", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-24747", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-05-09T04:00:49.594536Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-06T14:14:48.455Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:28:11.919Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" }, { "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2024-01-31T20-20-33Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-31T22:10:23.375Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" }, { "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" } ], "source": { "advisory": "GHSA-xx8w-mq23-29g4", "discovery": "UNKNOWN" }, "title": "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-24747", "datePublished": "2024-01-31T22:10:23.375Z", "dateReserved": "2024-01-29T20:51:26.009Z", "dateUpdated": "2024-08-01T23:28:11.919Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-11012
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/9422 | x_refsource_MISC | |
https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T11:21:14.522Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/9422" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "MinIO", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2020-04-23T00-58-49Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-04-23T21:55:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/9422" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ], "source": { "advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN" }, "title": "Authentication bypass MinIO Admin API", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11012", "STATE": "PUBLIC", "TITLE": "Authentication bypass MinIO Admin API" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2020-04-23T00-58-49Z" } ] } } ] }, "vendor_name": "MinIO" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-305: Authentication Bypass by Primary Weakness" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "name": "https://github.com/minio/minio/pull/9422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/9422" }, { "name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ] }, "source": { "advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11012", "datePublished": "2020-04-23T21:55:14", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.522Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41137
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/13388 | x_refsource_MISC | |
https://github.com/minio/minio/pull/13422 | x_refsource_MISC | |
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.695Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13388" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13422" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "= RELEASE.2021-10-10T16-53-30Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-13T14:00:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13388" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13422" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ], "source": { "advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN" }, "title": "Bypassing policy restrictions on regular users ", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41137", "STATE": "PUBLIC", "TITLE": "Bypassing policy restrictions on regular users " }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "= RELEASE.2021-10-10T16-53-30Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-285: Improper Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "name": "https://github.com/minio/minio/pull/13388", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13388" }, { "name": "https://github.com/minio/minio/pull/13422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13422" }, { "name": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ] }, "source": { "advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41137", "datePublished": "2021-10-13T14:00:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.695Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-36107
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/19810 | x_refsource_MISC | |
https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272 | x_refsource_MISC | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since | x_refsource_MISC | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T03:30:13.046Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" }, { "name": "https://github.com/minio/minio/pull/19810", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/19810" }, { "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "minio", "vendor": "minio", "versions": [ { "lessThan": "RELEASE.2024-05-27T19-17-46Z", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-36107", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-06T20:51:21.860158Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-03T15:28:54.674Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2024-05-27T19-17-46Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-28T18:50:51.013Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" }, { "name": "https://github.com/minio/minio/pull/19810", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/19810" }, { "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since", "tags": [ "x_refsource_MISC" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since", "tags": [ "x_refsource_MISC" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since" } ], "source": { "advisory": "GHSA-95fr-cm4m-q5p9", "discovery": "UNKNOWN" }, "title": "Information disclosure in minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-36107", "datePublished": "2024-05-28T18:50:51.013Z", "dateReserved": "2024-05-20T21:07:48.186Z", "dateUpdated": "2024-09-03T15:28:54.674Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21390
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11801 | x_refsource_MISC | |
https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:16.085Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11801" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-03-17T02-33-02Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-924", "description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-19T16:00:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11801" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ], "source": { "advisory": "GHSA-xr7r-7gpj-5pgp", "discovery": "UNKNOWN" }, "title": "MITM modification of request bodies in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21390", "STATE": "PUBLIC", "TITLE": "MITM modification of request bodies in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-03-17T02-33-02Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "name": "https://github.com/minio/minio/pull/11801", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11801" }, { "name": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ] }, "source": { "advisory": "GHSA-xr7r-7gpj-5pgp", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21390", "datePublished": "2021-03-19T16:00:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:16.085Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-27589
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16803 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:16:36.220Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" }, { "name": "https://github.com/minio/minio/pull/16803", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16803" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2020-12-23T02-24-12Z, \u003c RELEASE.2023-03-13T19-46-17Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-14T18:22:35.884Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" }, { "name": "https://github.com/minio/minio/pull/16803", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16803" } ], "source": { "advisory": "GHSA-9wfv-wmf7-6753", "discovery": "UNKNOWN" }, "title": "Minio vulnerable to denial of access by an admin privileged user for root credential" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-27589", "datePublished": "2023-03-14T18:22:35.884Z", "dateReserved": "2023-03-04T01:03:53.635Z", "dateUpdated": "2024-08-02T12:16:36.220Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28432
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.355Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "tags": [ "x_transferred" ], "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "tags": [ "x_transferred" ], "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "tags": [ "x_transferred" ], "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2019-12-17T23-16-33Z, \u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-27T00:08:29.261163Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" } ], "source": { "advisory": "GHSA-6xvq-wj2x-3h3q", "discovery": "UNKNOWN" }, "title": "Minio Information Disclosure in Cluster Deployment" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28432", "datePublished": "2023-03-22T20:16:38.641Z", "dateReserved": "2023-03-15T15:59:10.052Z", "dateUpdated": "2024-08-02T12:38:25.355Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28434
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16849 | x_refsource_MISC | |
https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.275Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" }, { "name": "https://github.com/minio/minio/pull/16849", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16849" }, { "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-22T20:44:04.216Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" }, { "name": "https://github.com/minio/minio/pull/16849", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16849" }, { "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" } ], "source": { "advisory": "GHSA-2pxw-r47w-4p8c", "discovery": "UNKNOWN" }, "title": "MinIO is vulnerable to privilege escalation on Linux/MacOS" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28434", "datePublished": "2023-03-22T20:44:04.216Z", "dateReserved": "2023-03-15T15:59:10.053Z", "dateUpdated": "2024-08-02T12:38:25.275Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-43858
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/13976 | x_refsource_MISC | |
https://github.com/minio/minio/pull/7949 | x_refsource_MISC | |
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:10:17.197Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13976" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/7949" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-12-27T07-23-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-27T21:20:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13976" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/7949" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ], "source": { "advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN" }, "title": "User privilege escalation in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43858", "STATE": "PUBLIC", "TITLE": "User privilege escalation in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-12-27T07-23-18Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269: Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "name": "https://github.com/minio/minio/pull/13976", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13976" }, { "name": "https://github.com/minio/minio/pull/7949", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/7949" }, { "name": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ] }, "source": { "advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43858", "datePublished": "2021-12-27T21:20:11", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:17.197Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-25812
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16635 | x_refsource_MISC | |
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T11:32:12.447Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" }, { "name": "https://github.com/minio/minio/pull/16635", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16635" }, { "name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2020-04-10T03-34-42Z, \u003c RELEASE.2023-02-17T17-52-43Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-21T20:32:34.798Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" }, { "name": "https://github.com/minio/minio/pull/16635", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16635" }, { "name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" } ], "source": { "advisory": "GHSA-c8fc-mjj8-fc63", "discovery": "UNKNOWN" }, "title": "Allowed DELETE on resources on object locked buckets under Governance mode in Minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-25812", "datePublished": "2023-02-21T20:32:34.798Z", "dateReserved": "2023-02-15T16:34:48.773Z", "dateUpdated": "2024-08-02T11:32:12.447Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21287
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11337 | x_refsource_MISC | |
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.757Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11337" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-01-30T00-20-58Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-01T17:15:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11337" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ], "source": { "advisory": "GHSA-m4qq-5f7c-693q", "discovery": "UNKNOWN" }, "title": "Server-Side Request Forgery in MinIO Browser API", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21287", "STATE": "PUBLIC", "TITLE": "Server-Side Request Forgery in MinIO Browser API" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-01-30T00-20-58Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-918: Server-Side Request Forgery (SSRF)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "name": "https://github.com/minio/minio/pull/11337", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11337" }, { "name": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ] }, "source": { "advisory": "GHSA-m4qq-5f7c-693q", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21287", "datePublished": "2021-02-01T17:15:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.757Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-35919
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:51:58.534Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" }, { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/pull/15429" }, { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2022-07-29T19-40-48Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-10T16:06:17.615108", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" }, { "url": "https://github.com/minio/minio/pull/15429" }, { "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" } ], "source": { "advisory": "GHSA-gr9v-6pcm-rqvg", "discovery": "UNKNOWN" }, "title": "Authenticated requests for server update admin API allows path traversal in minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-35919", "datePublished": "2022-08-01T00:00:00", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:58.534Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-31028
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/14995 | x_refsource_MISC | |
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:03:40.192Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/14995" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-03T14:40:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/14995" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ], "source": { "advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN" }, "title": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31028", "STATE": "PUBLIC", "TITLE": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "name": "https://github.com/minio/minio/pull/14995", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/14995" }, { "name": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1", "refsource": "MISC", "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ] }, "source": { "advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31028", "datePublished": "2022-06-03T14:40:11", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.192Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21362
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11682 | x_refsource_MISC | |
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.715Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11682" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-03-04T00-53-13Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-08T18:40:34", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11682" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ], "source": { "advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN" }, "title": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21362", "STATE": "PUBLIC", "TITLE": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-03-04T00-53-13Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-285: Improper Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "name": "https://github.com/minio/minio/pull/11682", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11682" }, { "name": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ] }, "source": { "advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21362", "datePublished": "2021-03-08T18:40:34", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.715Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1000538
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220 | x_refsource_MISC | |
https://github.com/minio/minio/pull/5957 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:40:47.227Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/5957" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-06-23T00:00:00", "datePublic": "2018-06-26T00:00:00", "descriptions": [ { "lang": "en", "value": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-06-26T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/5957" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-06-23T11:22:33.053476", "DATE_REQUESTED": "2018-05-18T20:31:28", "ID": "CVE-2018-1000538", "REQUESTER": "aead@mail.de", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "name": "https://github.com/minio/minio/pull/5957", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/5957" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000538", "datePublished": "2018-06-26T16:00:00", "dateReserved": "2018-05-18T00:00:00", "dateUpdated": "2024-08-05T12:40:47.227Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28433
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6 | x_refsource_CONFIRM | |
https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8 | x_refsource_MISC | |
https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.491Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" }, { "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-22T20:33:43.452Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" }, { "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" } ], "source": { "advisory": "GHSA-w23q-4hw3-2pp6", "discovery": "UNKNOWN" }, "title": "Minio Privilege Escalation on Windows via Path separator manipulation" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28433", "datePublished": "2023-03-22T20:33:43.452Z", "dateReserved": "2023-03-15T15:59:10.052Z", "dateUpdated": "2024-08-02T12:38:25.491Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }