All the vulnerabilites related to minio - minio
cve-2023-25812
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16635 | x_refsource_MISC | |
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T11:32:12.447Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" }, { "name": "https://github.com/minio/minio/pull/16635", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16635" }, { "name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2020-04-10T03-34-42Z, \u003c RELEASE.2023-02-17T17-52-43Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-21T20:32:34.798Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" }, { "name": "https://github.com/minio/minio/pull/16635", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16635" }, { "name": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" } ], "source": { "advisory": "GHSA-c8fc-mjj8-fc63", "discovery": "UNKNOWN" }, "title": "Allowed DELETE on resources on object locked buckets under Governance mode in Minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-25812", "datePublished": "2023-02-21T20:32:34.798Z", "dateReserved": "2023-02-15T16:34:48.773Z", "dateUpdated": "2024-08-02T11:32:12.447Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-35919
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:51:58.534Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" }, { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/pull/15429" }, { "tags": [ "x_transferred" ], "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2022-07-29T19-40-48Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-10T16:06:17.615108", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" }, { "url": "https://github.com/minio/minio/pull/15429" }, { "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" } ], "source": { "advisory": "GHSA-gr9v-6pcm-rqvg", "discovery": "UNKNOWN" }, "title": "Authenticated requests for server update admin API allows path traversal in minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-35919", "datePublished": "2022-08-01T00:00:00", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:58.534Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21287
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11337 | x_refsource_MISC | |
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.757Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11337" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-01-30T00-20-58Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-01T17:15:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11337" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ], "source": { "advisory": "GHSA-m4qq-5f7c-693q", "discovery": "UNKNOWN" }, "title": "Server-Side Request Forgery in MinIO Browser API", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21287", "STATE": "PUBLIC", "TITLE": "Server-Side Request Forgery in MinIO Browser API" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-01-30T00-20-58Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-918: Server-Side Request Forgery (SSRF)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "name": "https://github.com/minio/minio/pull/11337", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11337" }, { "name": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" } ] }, "source": { "advisory": "GHSA-m4qq-5f7c-693q", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21287", "datePublished": "2021-02-01T17:15:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.757Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-27589
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16803 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:16:36.220Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" }, { "name": "https://github.com/minio/minio/pull/16803", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16803" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2020-12-23T02-24-12Z, \u003c RELEASE.2023-03-13T19-46-17Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-14T18:22:35.884Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" }, { "name": "https://github.com/minio/minio/pull/16803", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16803" } ], "source": { "advisory": "GHSA-9wfv-wmf7-6753", "discovery": "UNKNOWN" }, "title": "Minio vulnerable to denial of access by an admin privileged user for root credential" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-27589", "datePublished": "2023-03-14T18:22:35.884Z", "dateReserved": "2023-03-04T01:03:53.635Z", "dateUpdated": "2024-08-02T12:16:36.220Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28432
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.355Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "tags": [ "x_transferred" ], "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "tags": [ "x_transferred" ], "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "tags": [ "x_transferred" ], "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2019-12-17T23-16-33Z, \u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-27T00:08:29.261163Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" } ], "source": { "advisory": "GHSA-6xvq-wj2x-3h3q", "discovery": "UNKNOWN" }, "title": "Minio Information Disclosure in Cluster Deployment" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28432", "datePublished": "2023-03-22T20:16:38.641Z", "dateReserved": "2023-03-15T15:59:10.052Z", "dateUpdated": "2024-08-02T12:38:25.355Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21390
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11801 | x_refsource_MISC | |
https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:16.085Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11801" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-03-17T02-33-02Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-924", "description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-19T16:00:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11801" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ], "source": { "advisory": "GHSA-xr7r-7gpj-5pgp", "discovery": "UNKNOWN" }, "title": "MITM modification of request bodies in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21390", "STATE": "PUBLIC", "TITLE": "MITM modification of request bodies in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-03-17T02-33-02Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "name": "https://github.com/minio/minio/pull/11801", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11801" }, { "name": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" } ] }, "source": { "advisory": "GHSA-xr7r-7gpj-5pgp", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21390", "datePublished": "2021-03-19T16:00:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:16.085Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-36107
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/19810 | x_refsource_MISC | |
https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272 | x_refsource_MISC | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since | x_refsource_MISC | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T03:30:13.046Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" }, { "name": "https://github.com/minio/minio/pull/19810", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/19810" }, { "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "minio", "vendor": "minio", "versions": [ { "lessThan": "RELEASE.2024-05-27T19-17-46Z", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-36107", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-06T20:51:21.860158Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-03T15:28:54.674Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2024-05-27T19-17-46Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. `If-Modified-Since` and `If-Unmodified-Since` headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a specific bucket and also gain access to some amount of\ninformation such as `Last-Modified (of the latest version)`, `Etag (of the latest version)`, `x-amz-version-id (of the latest version)`, `Expires (metadata value of the latest version)`, `Cache-Control (metadata value of the latest version)`. This conditional check was being honored before validating if the anonymous access is indeed allowed on the metadata of an object. This issue has been addressed in commit `e0fe7cc3917`. Users must upgrade to RELEASE.2024-05-27T19-17-46Z for the fix. There are no known workarounds for this issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-28T18:50:51.013Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-95fr-cm4m-q5p9" }, { "name": "https://github.com/minio/minio/pull/19810", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/19810" }, { "name": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/e0fe7cc391724fc5baa85b45508f425020fe4272" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since", "tags": [ "x_refsource_MISC" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Modified-Since" }, { "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since", "tags": [ "x_refsource_MISC" ], "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since" } ], "source": { "advisory": "GHSA-95fr-cm4m-q5p9", "discovery": "UNKNOWN" }, "title": "Information disclosure in minio" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-36107", "datePublished": "2024-05-28T18:50:51.013Z", "dateReserved": "2024-05-20T21:07:48.186Z", "dateUpdated": "2024-09-03T15:28:54.674Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28433
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6 | x_refsource_CONFIRM | |
https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8 | x_refsource_MISC | |
https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.491Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" }, { "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-22T20:33:43.452Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" }, { "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" } ], "source": { "advisory": "GHSA-w23q-4hw3-2pp6", "discovery": "UNKNOWN" }, "title": "Minio Privilege Escalation on Windows via Path separator manipulation" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28433", "datePublished": "2023-03-22T20:33:43.452Z", "dateReserved": "2023-03-15T15:59:10.052Z", "dateUpdated": "2024-08-02T12:38:25.491Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1000538
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220 | x_refsource_MISC | |
https://github.com/minio/minio/pull/5957 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:40:47.227Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/5957" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-06-23T00:00:00", "datePublic": "2018-06-26T00:00:00", "descriptions": [ { "lang": "en", "value": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-06-26T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/5957" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-06-23T11:22:33.053476", "DATE_REQUESTED": "2018-05-18T20:31:28", "ID": "CVE-2018-1000538", "REQUESTER": "aead@mail.de", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "name": "https://github.com/minio/minio/pull/5957", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/5957" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000538", "datePublished": "2018-06-26T16:00:00", "dateReserved": "2018-05-18T00:00:00", "dateUpdated": "2024-08-05T12:40:47.227Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41137
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/13388 | x_refsource_MISC | |
https://github.com/minio/minio/pull/13422 | x_refsource_MISC | |
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.695Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13388" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13422" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "= RELEASE.2021-10-10T16-53-30Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-13T14:00:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13388" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13422" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ], "source": { "advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN" }, "title": "Bypassing policy restrictions on regular users ", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41137", "STATE": "PUBLIC", "TITLE": "Bypassing policy restrictions on regular users " }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "= RELEASE.2021-10-10T16-53-30Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-285: Improper Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "name": "https://github.com/minio/minio/pull/13388", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13388" }, { "name": "https://github.com/minio/minio/pull/13422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13422" }, { "name": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" } ] }, "source": { "advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41137", "datePublished": "2021-10-13T14:00:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.695Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-55949
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/20756 | x_refsource_MISC | |
https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f | x_refsource_MISC | |
https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427 | x_refsource_MISC |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-55949", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-16T20:18:23.221689Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-16T20:18:46.452Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2022-06-25T15-50-16Z, \u003c RELEASE.2024-12-13T22-19-12Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-16T20:02:00.856Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg" }, { "name": "https://github.com/minio/minio/pull/20756", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/20756" }, { "name": "https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f" }, { "name": "https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427" } ], "source": { "advisory": "GHSA-cwq8-g58r-32hg", "discovery": "UNKNOWN" }, "title": "Privilege escalation in IAM import API in MinIO" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-55949", "datePublished": "2024-12-16T20:02:00.856Z", "dateReserved": "2024-12-13T17:39:32.960Z", "dateUpdated": "2024-12-16T20:18:46.452Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-31028
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/14995 | x_refsource_MISC | |
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:03:40.192Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/14995" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-03T14:40:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/14995" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ], "source": { "advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN" }, "title": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31028", "STATE": "PUBLIC", "TITLE": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003e= RELEASE.2019-09-25T18-25-51Z, \u003c RELEASE.2022-06-02T02-11-04Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "name": "https://github.com/minio/minio/pull/14995", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/14995" }, { "name": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1", "refsource": "MISC", "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" } ] }, "source": { "advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31028", "datePublished": "2022-06-03T14:40:11", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.192Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21362
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/11682 | x_refsource_MISC | |
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.715Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/11682" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-03-04T00-53-13Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-08T18:40:34", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/11682" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ], "source": { "advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN" }, "title": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21362", "STATE": "PUBLIC", "TITLE": "Bypassing readOnly policy by creating a temporary \u0027mc share upload\u0027 URL" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-03-04T00-53-13Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-285: Improper Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "name": "https://github.com/minio/minio/pull/11682", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11682" }, { "name": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" } ] }, "source": { "advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21362", "datePublished": "2021-03-08T18:40:34", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.715Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28434
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/16849 | x_refsource_MISC | |
https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T12:38:25.275Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" }, { "name": "https://github.com/minio/minio/pull/16849", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/16849" }, { "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2023-03-20T20-16-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-03-22T20:44:04.216Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" }, { "name": "https://github.com/minio/minio/pull/16849", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/16849" }, { "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" } ], "source": { "advisory": "GHSA-2pxw-r47w-4p8c", "discovery": "UNKNOWN" }, "title": "MinIO is vulnerable to privilege escalation on Linux/MacOS" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28434", "datePublished": "2023-03-22T20:44:04.216Z", "dateReserved": "2023-03-15T15:59:10.053Z", "dateUpdated": "2024-08-02T12:38:25.275Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24842
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/14729 | x_refsource_MISC | |
https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:50.468Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/14729" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2022-04-12T06-55-35Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-12T17:20:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/14729" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ], "source": { "advisory": "GHSA-2j69-jjmg-534q", "discovery": "UNKNOWN" }, "title": "Improper Privilege Management in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24842", "STATE": "PUBLIC", "TITLE": "Improper Privilege Management in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2022-04-12T06-55-35Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269: Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "name": "https://github.com/minio/minio/pull/14729", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/14729" }, { "name": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" } ] }, "source": { "advisory": "GHSA-2j69-jjmg-534q", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24842", "datePublished": "2022-04-12T17:20:18", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.468Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-43858
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/13976 | x_refsource_MISC | |
https://github.com/minio/minio/pull/7949 | x_refsource_MISC | |
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:10:17.197Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/13976" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/7949" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2021-12-27T07-23-18Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-27T21:20:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/13976" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/7949" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ], "source": { "advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN" }, "title": "User privilege escalation in MinIO", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43858", "STATE": "PUBLIC", "TITLE": "User privilege escalation in MinIO" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2021-12-27T07-23-18Z" } ] } } ] }, "vendor_name": "minio" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269: Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "name": "https://github.com/minio/minio/pull/13976", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13976" }, { "name": "https://github.com/minio/minio/pull/7949", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/7949" }, { "name": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" } ] }, "source": { "advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43858", "datePublished": "2021-12-27T21:20:11", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:10:17.197Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-24747
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 | x_refsource_CONFIRM | |
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z | x_refsource_MISC |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "minio", "vendor": "minio", "versions": [ { "lessThan": "RELEASE.2024-01-31T20-20-33Z", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-24747", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-05-09T04:00:49.594536Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-06T14:14:48.455Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:28:11.919Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" }, { "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "minio", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2024-01-31T20-20-33Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-31T22:10:23.375Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" }, { "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" } ], "source": { "advisory": "GHSA-xx8w-mq23-29g4", "discovery": "UNKNOWN" }, "title": "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-24747", "datePublished": "2024-01-31T22:10:23.375Z", "dateReserved": "2024-01-29T20:51:26.009Z", "dateUpdated": "2024-08-01T23:28:11.919Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-11012
Vulnerability from cvelistv5
▼ | URL | Tags |
---|---|---|
https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w | x_refsource_CONFIRM | |
https://github.com/minio/minio/pull/9422 | x_refsource_MISC | |
https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923 | x_refsource_MISC | |
https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T11:21:14.522Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/pull/9422" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "minio", "vendor": "MinIO", "versions": [ { "status": "affected", "version": "\u003c RELEASE.2020-04-23T00-58-49Z" } ] } ], "descriptions": [ { "lang": "en", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-04-23T21:55:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/pull/9422" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ], "source": { "advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN" }, "title": "Authentication bypass MinIO Admin API", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11012", "STATE": "PUBLIC", "TITLE": "Authentication bypass MinIO Admin API" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "minio", "version": { "version_data": [ { "version_value": "\u003c RELEASE.2020-04-23T00-58-49Z" } ] } } ] }, "vendor_name": "MinIO" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-305: Authentication Bypass by Primary Weakness" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "name": "https://github.com/minio/minio/pull/9422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/9422" }, { "name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" } ] }, "source": { "advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11012", "datePublished": "2020-04-23T21:55:14", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.522Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Vulnerability from fkie_nvd
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "63CBB19F-80FF-4D6B-ADF3-7BD9768861D0", "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds." } ], "id": "CVE-2023-28433", "lastModified": "2024-11-21T07:55:03.410", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-03-22T21:15:18.340", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "source": "security-advisories@github.com", "tags": [ "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-668" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "43154FF8-4DBD-4414-9B01-6F05392A3AFD", "versionEndExcluding": "2022-07-29t19-40-48z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies." }, { "lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento publicado bajo la licencia p\u00fablica general Affero de GNU versi\u00f3n v3.0. En versiones afectadas, todos los usuarios \"admin\" autorizados para \"admin:ServerUpdate\" pueden provocar selectivamente un error que, en respuesta, devuelva el contenido de la ruta solicitada. Cualquier sistema operativo normal permitir\u00eda el acceso a contenidos en cualquier ruta arbitraria que sea legible por el proceso MinIO. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar pueden deshabilitar la API ServerUpdate denegando la acci\u00f3n \"admin:ServerUpdate\" para sus usuarios administradores por medio de pol\u00edticas IAM" } ], "id": "CVE-2022-35919", "lastModified": "2024-11-21T07:11:57.743", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2022-08-01T22:15:10.280", "references": [ { "source": "security-advisories@github.com", "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/15429" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Mitigation", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/15429" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Mitigation", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-22" } ], "source": "security-advisories@github.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/14729 | Exploit, Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/14729 | Exploit, Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q | Patch, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D2E3996-716E-4C51-A15F-6420BD59FA82", "versionEndExcluding": "2022-04-12t06-55-35z", "versionStartIncluding": "2021-12-09t06-19-41z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well." }, { "lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento publicado bajo la Licencia P\u00fablica General Affero versi\u00f3n v3.0 de GNU. Se ha encontrado un problema de seguridad en el que un usuario no administrador es capaz de crear cuentas de servicio para el usuario root u otros usuarios administradores y luego es capaz de asumir sus pol\u00edticas de acceso por medio de las credenciales generadas. Esto, a su vez, permite al usuario escalar sus privilegios a los del usuario root. Esta vulnerabilidad ha sido resuelta en el pull request #14729 y es incluida en \u0027RELEASE.2022-04-12T06-55-35Z\". Los usuarios que no puedan actualizar pueden mitigar este problema al a\u00f1adir expl\u00edcitamente una pol\u00edtica de denegaci\u00f3n \"admin:CreateServiceAccount\", pero esto, a su vez, deniega al usuario la capacidad de crear sus propias cuentas de servicio" } ], "id": "CVE-2022-24842", "lastModified": "2024-11-21T06:51:13.093", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2022-04-12T18:15:09.690", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/14729" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/14729" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-Other" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "D17AB9B3-22BB-48A4-8317-3EB80B812FFA", "versionEndExcluding": "2021-03-04t00-53-13z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO." }, { "lang": "es", "value": "MinIO es un servicio de almacenamiento de objetos de alto rendimiento de c\u00f3digo abierto y es compatible con la API con el servicio de almacenamiento en nube Amazon S3.\u0026#xa0;En MinIO versiones anteriores a RELEASE.2021-03-04T00-53-13Z, es posible omitir una pol\u00edtica de solo lectura al crear una URL temporal \"mc share upload\".\u0026#xa0;Todos los que usan MinIO multiusuario est\u00e1n afectados.\u0026#xa0;Esto es corregido en versi\u00f3n RELEASE.2021-03-04T00-53-13Z.\u0026#xa0;Como una soluci\u00f3n alternativa, puede ser deshabilitar las cargas con \"Content-Type: multipart/form-data\" como es mencionado en los documentos RESTObjectPOST de la API S3 al usar un proxy frente a MinIO" } ], "id": "CVE-2021-21362", "lastModified": "2024-11-21T05:48:12.000", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-03-08T19:15:13.443", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11682" }, { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11682" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-285" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-863" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3A143A4-A6FC-4BF5-B572-C66FF7D566FA", "versionEndExcluding": "2021-01-30t00-20-58z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable." }, { "lang": "es", "value": "MinIO es un Almacenamiento de Objetos de Alto Rendimiento publicado bajo la licencia Apache versi\u00f3n v2.0.\u0026#xa0;En MinIO anterior a la versi\u00f3n RELEASE.2021-01-30T00-20-58Z, se presenta una vulnerabilidad de tipo server-side request forgery.\u0026#xa0;La aplicaci\u00f3n objetivo puede tener una funcionalidad para importar datos de una URL, publicar datos en una URL o leer datos de una URL con que puedan ser alterada. El atacante modifica las llamadas a esta funcionalidad proporcionando una URL completamente diferente o al manipular c\u00f3mo se construyen las URL (salto de ruta, etc.).\u0026#xa0;En un ataque de tipo Server-Side Request Forgery (SSRF), el atacante puede abusar de la funcionalidad en el servidor para leer o actualizar recursos internos.\u0026#xa0;El atacante puede proporcionar o modificar una URL que el c\u00f3digo que se ejecuta en el servidor leer\u00e1 o enviar\u00e1 datos, y al seleccionar cuidadosamente las URL, el atacante puede leer la configuraci\u00f3n del servidor, como los metadatos de AWS,\u0026#xa0;conectarse a servicios internos como bases de datos habilitadas para HTTP, o realizar peticiones posteriores a servicios internos que no est\u00e9n destinados a ser expuestos.\u0026#xa0;Esto es corregido en la versi\u00f3n RELEASE.2021-01-30T00-20-58Z, se recomienda a todos los usuarios que actualicen.\u0026#xa0;Como soluci\u00f3n alternativa, puede desactivar la interfaz del navegador con la variable de entorno \"MINIO_BROWSER = off\"" } ], "id": "CVE-2021-21287", "lastModified": "2024-11-21T05:47:56.277", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-02-01T18:15:13.890", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11337" }, { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11337" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-918" } ], "source": "security-advisories@github.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*", "matchCriteriaId": "67E9B6B4-7A63-40A3-B815-3ADCA52DE423", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z." }, { "lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino tambi\u00e9n para acciones `admin:*`. Lo que significa que, a menos que en alg\u00fan lugar superior de la jerarqu\u00eda de claves de acceso se denieguen los derechos de \"administrador\", las claves de acceso podr\u00e1n simplemente anular sus propios permisos \"s3\" por algo m\u00e1s permisivo. La vulnerabilidad se solucion\u00f3 en RELEASE.2024-01-31T20-20-33Z." } ], "id": "CVE-2024-24747", "lastModified": "2024-11-21T08:59:36.850", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2024-01-31T22:15:54.813", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security-advisories@github.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220 | Patch, Third Party Advisory | |
cve@mitre.org | https://github.com/minio/minio/pull/5957 | Issue Tracking, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/5957 | Issue Tracking, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "5215DB3C-DC61-4ECE-84CC-A74AA2975671", "versionEndExcluding": "2018-05-16t23-35-33z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." }, { "lang": "es", "value": "El servidor Minio S3, de Minio Inc., en versiones anteriores al RELEASE.2018-05-16T23-35-33Z contiene una vulnerabilidad de memoria sin l\u00edmites o \"throttling\" (similar al CWE-774) en write-to-RAM que puede resultar en una denegaci\u00f3n de servicio (DoS). El ataque parece ser explotable mediante el env\u00edo de peticiones prefirmadas con V4 con cuerpos largos. La vulnerabilidad parece haber sido solucionada tras el commit con ID 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7." } ], "id": "CVE-2018-1000538", "lastModified": "2024-11-21T03:40:09.113", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV30": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2018-06-26T16:29:02.133", "references": [ { "source": "cve@mitre.org", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "source": "cve@mitre.org", "tags": [ "Issue Tracking", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/5957" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bL220" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Issue Tracking", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/5957" } ], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-774" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 | Exploit, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/14995 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z | Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 | Exploit, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/14995 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 | Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "475F440D-67A1-4C71-9B3F-89AF627B3D4F", "versionEndExcluding": "2022-06-02t02-11-04z", "versionStartIncluding": "2019-09-25t18-25-51z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients." }, { "lang": "es", "value": "MinIO es una soluci\u00f3n de almacenamiento de objetos multi-nube. A partir de la versi\u00f3n RELEASE.2019-09-25T18-25-51Z y versiones hasta RELEASE.2022-06-02T02-11-04Z, MinIO es vulnerable a una acumulaci\u00f3n interminable de rutinas mientras mantiene las conexiones establecidas debido a que los clientes HTTP no cierran las conexiones. Los despliegues de MinIO de cara al p\u00fablico son los m\u00e1s afectados. Los usuarios deben actualizar a RELEASE.2022-06-02T02-11-04Z para recibir un parche. Una posible mitigaci\u00f3n es usar un proxy inverso para limitar el n\u00famero de conexiones que son intentadas delante de MinIO, y rechazar activamente las conexiones de estos clientes maliciosos" } ], "id": "CVE-2022-31028", "lastModified": "2024-11-21T07:03:44.633", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2022-06-07T16:15:07.760", "references": [ { "source": "security-advisories@github.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/14995" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/14995" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-400" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-400" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 | Exploit, Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/11801 | Exploit, Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp | Exploit, Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0 | Exploit, Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/11801 | Exploit, Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp | Exploit, Patch, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "420A5DDF-D7F9-45C8-82EB-BD18D81939CA", "versionEndExcluding": "2021-03-17t02-33-02z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS." }, { "lang": "es", "value": "MinIO es un servicio de almacenamiento de objetos de alto rendimiento de c\u00f3digo abierto y su API es compatible con el servicio de almacenamiento en la nube Amazon S3. En MinIO versiones anteriores a RELEASE.2021-03-17T02-33-02Z, se presenta una vulnerabilidad que permite la modificaci\u00f3n por parte de un MITM de los cuerpos de las peticiones que se supone que presentan la integridad garantizada por las firmas de los fragmentos. En una petici\u00f3n PUT que usa la codificaci\u00f3n aws-chunked, MinIO normalmente comprueba las firmas al final de un fragmento. Esta comprobaci\u00f3n puede saltarse si el cliente env\u00eda un tama\u00f1o de fragmento falso que es mucho mayor que los datos reales enviados: el servidor acepta y completa la petici\u00f3n sin llegar nunca al final del fragmento + por tanto sin comprobar nunca la firma del fragmento. Esto se ha corregido en la versi\u00f3n RELEASE.2021-03-17T02-33-02Z. Como soluci\u00f3n, se puede evitar el uso de peticiones de carga de firmas de fragmentos basadas en la codificaci\u00f3n \"aws-chunked\" y, en su lugar, usar TLS. Los SDKs de MinIO deshabilitan autom\u00e1ticamente la firma de codificaci\u00f3n en trozos cuando el endpoint del servidor est\u00e1 configurado con TLS" } ], "id": "CVE-2021-21390", "lastModified": "2024-11-21T05:48:15.620", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2021-03-19T16:15:12.920", "references": [ { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11801" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/11801" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-924" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-924" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/13388 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/13422 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/13388 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/13422 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c | Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*", "matchCriteriaId": "3AB9615C-F075-41E6-B11E-BF0E011832FB", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround." }, { "lang": "es", "value": "Minio es una aplicaci\u00f3n nativa de Kubernetes para el almacenamiento en la nube. Todos los usuarios de la versi\u00f3n \"RELEASE.2021-10-10T16-53-30Z\" est\u00e1n afectados por una vulnerabilidad que implica omitir las restricciones de las pol\u00edticas de los usuarios normales. Normalmente, checkKeyValid() deber\u00eda devolver el propietario true para rootCreds. En la versi\u00f3n afectada, la restricci\u00f3n de pol\u00edticas no funcionaba correctamente para usuarios que no ten\u00edan cuentas de servicio (svc) o de servicio de token de seguridad (STS). Este problema es corregido en la versi\u00f3n \"RELEASE.2021-10-13T00-23-17Z\". Como soluci\u00f3n, es posible volver a la versi\u00f3n \"RELEASE.2021-10-08T23-58-24Z\"" } ], "id": "CVE-2021-41137", "lastModified": "2024-11-21T06:25:33.953", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" } ] }, "published": "2021-10-13T14:15:07.827", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13388" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13422" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13388" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13422" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-285" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-Other" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/pull/9422 | Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z | Third Party Advisory | |
security-advisories@github.com | https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923 | Patch, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/pull/9422 | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z | Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w | Patch, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "31CB1B2A-7802-446D-8D09-53DF944D7444", "versionEndExcluding": "2020-04-23t00-58-49z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z." }, { "lang": "es", "value": "MinIO versiones anteriores a la versi\u00f3n RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\u00f3n de autenticaci\u00f3n en la API de administraci\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\u00f3n RELEASE.2020-04-23T00-58-49Z." } ], "id": "CVE-2020-11012", "lastModified": "2024-11-21T04:56:34.820", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2020-04-23T22:15:12.833", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/9422" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/9422" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-305" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-755" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEAC2280-F0A0-409B-A579-73896CA26334", "versionEndExcluding": "2021-12-27t07-23-18z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users." }, { "lang": "es", "value": "MinIO es una aplicaci\u00f3n nativa de Kubernetes para el almacenamiento en la nube. En versiones anteriores a \"RELEASE.2021-12-27T07-23-18Z\", un cliente malicioso puede elaborar manualmente una llamada a la API HTTP que permite actualizar la pol\u00edtica de un usuario y alcanzar mayores privilegios. El parche de la versi\u00f3n \"RELEASE.2021-12-27T07-23-18Z\" cambia el tipo de cuerpo de petici\u00f3n aceptado y elimina la posibilidad de aplicar cambios de pol\u00edtica mediante esta API. Se presenta una soluci\u00f3n para esta vulnerabilidad: El cambio de contrase\u00f1as puede deshabilitarse al a\u00f1adir una regla expl\u00edcita \"Deny\" para deshabilitar la API para los usuarios" } ], "id": "CVE-2021-43858", "lastModified": "2024-11-21T06:29:56.750", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" } ] }, "published": "2021-12-27T22:15:07.703", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13976" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/7949" }, { "source": "security-advisories@github.com", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" }, { "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/13976" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/pull/7949" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes", "Third Party Advisory" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-863" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9B7DC5-7425-4572-B5D8-5BAC663B315A", "versionEndExcluding": "2023-03-13t19-46-17z", "versionStartIncluding": "2020-12-23t02-24-12z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`." } ], "id": "CVE-2023-27589", "lastModified": "2024-11-21T07:53:12.710", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-03-14T19:15:10.547", "references": [ { "source": "security-advisories@github.com", "tags": [ "Exploit", "Patch" ], "url": "https://github.com/minio/minio/pull/16803" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Patch" ], "url": "https://github.com/minio/minio/pull/16803" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
{ "cisaActionDue": "2023-05-12", "cisaExploitAdd": "2023-04-21", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "MinIO Information Disclosure Vulnerability", "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2A8F3D7-177F-4D52-B4F6-C4AB06AA4A4D", "versionEndExcluding": "2023-03-20t20-16-18z", "versionStartIncluding": "2019-12-17t23-16-33z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z." } ], "id": "CVE-2023-28432", "lastModified": "2024-11-21T07:55:03.283", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-03-22T21:15:18.257", "references": [ { "source": "security-advisories@github.com", "tags": [ "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "source": "security-advisories@github.com", "tags": [ "Third Party Advisory" ], "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Release Notes" ], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://twitter.com/Andrew___Morris/status/1639325397241278464" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-200" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
{ "cisaActionDue": "2023-10-10", "cisaExploitAdd": "2023-09-19", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "MinIO Security Feature Bypass Vulnerability", "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "63CBB19F-80FF-4D6B-ADF3-7BD9768861D0", "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n" } ], "id": "CVE-2023-28434", "lastModified": "2024-11-21T07:55:03.533", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-03-22T21:15:18.427", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Issue Tracking" ], "url": "https://github.com/minio/minio/pull/16849" }, { "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Issue Tracking" ], "url": "https://github.com/minio/minio/pull/16849" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-269" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
Vulnerability from fkie_nvd
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "451D6DA1-D25A-46A8-822B-D0A78D65C642", "versionEndExcluding": "2023-02-17t17-52-43z", "versionStartIncluding": "2020-04-10t03-34-42z", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.\n" }, { "lang": "es", "value": "Minio es un framework de almacenamiento de objetos Multi-Cloud. Las versiones afectadas no respetan correctamente la pol\u00edtica \"Denegar\" en ByPassGoverance. Idealmente, minio deber\u00eda devolver \"Acceso denegado\" a todos los usuarios que intenten ELIMINAR un ID de versi\u00f3n con el encabezado especial \"X-Amz-Bypass-Governance-Retention: true\". Sin embargo, esto no se cumpli\u00f3; en cambio, la solicitud se aceptar\u00e1 y un objeto bajo control se eliminar\u00e1 incorrectamente. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para este problema." } ], "id": "CVE-2023-25812", "lastModified": "2024-11-21T07:50:14.950", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-02-21T21:15:11.507", "references": [ { "source": "security-advisories@github.com", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" }, { "source": "security-advisories@github.com", "tags": [ "Issue Tracking", "Patch" ], "url": "https://github.com/minio/minio/pull/16635" }, { "source": "security-advisories@github.com", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Issue Tracking", "Patch" ], "url": "https://github.com/minio/minio/pull/16635" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Exploit", "Vendor Advisory" ], "url": "https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63" } ], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-281" } ], "source": "security-advisories@github.com", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
var-202103-0649
Vulnerability from variot
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS. MinIO Contains a vulnerability related to improper enforcement of the integrity of messages being sent on a communication channel.Information may be tampered with
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0649", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-03-17t02-33-02z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-03-17t02-33-02z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-03-17t02-33-02z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-21390" } ] }, "cve": "CVE-2021-21390", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Medium", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.3, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21390", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.2, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.8, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "High", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.9, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21390", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-21390", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21390", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202103-1206", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-21390", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using \"aws-chunked\" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS. MinIO Contains a vulnerability related to improper enforcement of the integrity of messages being sent on a communication channel.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "VULMON", "id": "CVE-2021-21390" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21390", "trust": 2.5 }, { "db": "JVNDB", "id": "JVNDB-2021-004964", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202103-1206", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21390", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "id": "VAR-202103-0649", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:29.089000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Chunked\u00a0body\u00a0signature\u00a0check\u00a0not\u00a0always\u00a0applied", "trust": 0.8, "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "title": "Minio MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=144642" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2021-21390 log" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-924", "trust": 1.0 }, { "problemtype": "Improper enforcement of the integrity of the message being sent on the communication channel (CWE-924) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11801" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-xr7r-7gpj-5pgp" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21390" }, { "trust": 0.2, "url": "https://cwe.mitre.org/data/definitions/924.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198457" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2021-21390" }, { "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "db": "NVD", "id": "CVE-2021-21390" }, { "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-19T00:00:00", "db": "VULMON", "id": "CVE-2021-21390" }, { "date": "2021-12-02T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "date": "2021-03-19T16:15:12.920000", "db": "NVD", "id": "CVE-2021-21390" }, { "date": "2021-03-19T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-25T00:00:00", "db": "VULMON", "id": "CVE-2021-21390" }, { "date": "2021-12-02T09:08:00", "db": "JVNDB", "id": "JVNDB-2021-004964" }, { "date": "2021-03-25T20:29:34.060000", "db": "NVD", "id": "CVE-2021-21390" }, { "date": "2021-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-1206" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-1206" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Vulnerability in improper enforcement of message integrity being sent on a communication channel in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004964" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-1206" } ], "trust": 0.6 } }
var-202112-1852
Vulnerability from variot
MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z
, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z
changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny
rule to disable the API for users. MinIO Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server of MinIO (Minio) company in the United States. The product supports building infrastructure for machine learning, analytics, and application data workloads. Patch with version number RELEASE. No detailed vulnerability details are currently available. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes Advisory ID: RHSA-2022:0735-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:0735 Issue date: 2022-03-03 CVE Names: CVE-2021-3521 CVE-2021-3712 CVE-2021-3807 CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 CVE-2021-22963 CVE-2021-41089 CVE-2021-41091 CVE-2021-42574 CVE-2021-43565 CVE-2021-43816 CVE-2021-43858 CVE-2022-0185 CVE-2022-0235 CVE-2022-24407 CVE-2022-24450 =====================================================================
- Summary:
Red Hat Advanced Cluster Management for Kubernetes 2.4.2 General Availability release images. This update provides security fixes, fixes bugs, and updates the container images.
Red Hat Product Security has rated this update as having a security impact of Important.
- Description:
Red Hat Advanced Cluster Management for Kubernetes 2.4.2 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
Red Hat Product Security has rated this update as having a security impact of Important.
This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/
Security updates:
-
nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
-
containerd: Unprivileged pod may bind mount any privileged regular file on disk (CVE-2021-43816)
-
minio-go: user privilege escalation in AddUser() admin API (CVE-2021-43858)
-
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
-
fastify-static: open redirect via an URL with double slash followed by a domain (CVE-2021-22963)
-
moby:
docker cp
allows unexpected chmod of host file (CVE-2021-41089) -
moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal (CVE-2021-41091)
-
golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)
-
node-fetch: Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235)
-
nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450)
Bug fixes:
-
Trying to create a new cluster on vSphere and no feedback, stuck in "creating" (Bugzilla #1937078)
-
The hyperlink of *ks cluster node cannot be opened when I want to check the node (Bugzilla #2028100)
-
Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196)
-
RHACM cannot deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) (Bugzilla #2028931)
-
RHACM 2.4.2 images (Bugzilla #2029506)
-
Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 (Bugzilla #2030005)
-
Namespace left orphaned after destroying the cluster (Bugzilla #2030379)
-
The results filtered through the filter contain some data that should not be present in cluster page (Bugzilla #2034198)
-
Git over ssh doesn't use custom port set in url (Bugzilla #2036057)
-
The value of name label changed from clusterclaim name to cluster name (Bugzilla #2042223)
-
ACM configuration policies do not handle Limitrange or Quotas values (Bugzilla #2042545)
-
Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 (Bugzilla #2050847)
-
The azure government regions were not list in the region drop down list when creating the cluster (Bugzilla #2051797)
-
Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing
- Bugs fixed (https://bugzilla.redhat.com/):
2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown:
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2008592 - CVE-2021-41089 moby: docker cp
allows unexpected chmod of host file
2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when
2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain
2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node
2028196 - Unable to make SSH connection to a Bitbucket server
2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1)
2029506 - RHACM 2.4.2 images
2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0
2030379 - Namespace left orphaned after destroying the cluster
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2032957 - Missing AWX templates in ACM
2034198 - The results filtered through the filter contain some data that should not be present in cluster page
2036057 - git over ssh doesn't use custom port set in url
2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API
2039378 - Deploying CRD via Application does not update status in ACM console
2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool
2042545 - ACM configuration policies do not handle Limitrange or Quotas values
2043519 - "apps.open-cluster-management.io/git-branch" annotation should be mandatory
2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6
2051797 - the azure government regions were not list in the region drop down list when create the cluster
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account
- References:
https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3872 https://access.redhat.com/security/cve/CVE-2021-3918 https://access.redhat.com/security/cve/CVE-2021-3984 https://access.redhat.com/security/cve/CVE-2021-4019 https://access.redhat.com/security/cve/CVE-2021-4034 https://access.redhat.com/security/cve/CVE-2021-4122 https://access.redhat.com/security/cve/CVE-2021-4155 https://access.redhat.com/security/cve/CVE-2021-4192 https://access.redhat.com/security/cve/CVE-2021-4193 https://access.redhat.com/security/cve/CVE-2021-22963 https://access.redhat.com/security/cve/CVE-2021-41089 https://access.redhat.com/security/cve/CVE-2021-41091 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-43816 https://access.redhat.com/security/cve/CVE-2021-43858 https://access.redhat.com/security/cve/CVE-2022-0185 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24450 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYiE9otzjgjWX9erEAQi0Ew/9EGNefP8TLEdc6Vq3zNtj01fnV0K4Crgi sgKVOx1PYO+xFfdJKXwN/dg4kCMZ5kXPzf+6BNudmEIjDxvl7/khvWnXfgXXX5Ml 7/7vAzSkHETk63ZS8WJuXKXrfs56jEnNVpi86DgsjYcPocXmKk93OST0UlBV+Qec QjepL6X/khbKb3nCFBgSmejW2XWmqUNZ/XFOmrUtxxMyJ1PJTKmmpSIwWNy0uz9M vIECOhYPR9cOzF8NNQ5rby4/s7NyHnxLTWJcoUCNjCpJc7o7AswbQHjceLU3gX+b wkqNt7t7cEiBMvOdhRKWOyjVZ7hI8CbplRdJga52NsqhZtVMGXatK06DtTlPp4E4 RUo+gO2ipbld2KlFydBF/Rohm4xls9yzYt6uGaxH+HW75hLJLNyDPYitZptvuWAT BJFVTguNuLw9M8dk7vnbGCHZGJSz0GAKW53kx7SGe4DFcFpUtfUPua1ZLdAyuz9y ajYfbvvr4G34hxl6H/ovFzd5ydrSZpOtP43jWSBiySYRe5oOCWupp5vt3TwJOWsT ac6t4q350GEcUNRin99AGVv7Ch1Herrs+oVl4wd4jmtpHe35q2sOW4HlFhEOfsqa Gy4qDhuSxvfie0ONHVAQylj7XsRdLfClRhWCT0YmZyXcZlbELom99aDapDO8Hioa eqF6R05B/GE= =IaEk -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . (BZ# 2033339)
-
Restore/backup shows up as Validation failed but the restore backup status in ACM shows success (BZ# 2034279)
-
Observability - OCP 311 node role are not displayed completely (BZ# 2038650)
-
Documented uninstall procedure leaves many leftovers (BZ# 2041921)
-
infrastructure-operator pod crashes due to insufficient privileges in ACM 2.5 (BZ# 2046554)
-
Acm failed to install due to some missing CRDs in operator (BZ# 2047463)
-
Navigation icons no longer showing in ACM 2.5 (BZ# 2051298)
-
ACM home page now includes /home/ in url (BZ# 2051299)
-
proxy heading in Add Credential should be capitalized (BZ# 2051349)
-
ACM 2.5 tries to create new MCE instance when install on top of existing MCE 2.0 (BZ# 2051983)
-
Create Policy button does not work and user cannot use console to create policy (BZ# 2053264)
-
No cluster information was displayed after a policyset was created (BZ# 2053366)
-
Dynamic plugin update does not take effect in Firefox (BZ# 2053516)
-
Replicated policy should not be available when creating a Policy Set (BZ# 2054431)
-
Placement section in Policy Set wizard does not reset when users click "Back" to re-configured placement (BZ# 2054433)
-
Bugs fixed (https://bugzilla.redhat.com/):
2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2028224 - RHACM 2.5.0 images
2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?)
2028647 - Clusters are in 'Degraded' status with upgrade env due to obs-controller not working properly
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2033339 - create cluster pool -> choose infra type , As a result infra providers disappear from UI.
2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub
2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO
2073355 - Get blank page when click policy with unknown status in Governance -> Overview page
2073508 - Thread responsible to get insights data from ks clusters is broken
2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters
2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology
2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin
2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of "resource conflict" error
2074178 - Editing Helm Argo Applications does not Prune Old Resources
2074626 - Policy placement failure during ZTP SNO scale test
2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store
2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal
2074937 - UI allows creating cluster even when there are no ClusterImageSets
2075416 - infraEnv failed to create image after restore
2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod
2075739 - The lookup function won't check the referred resource whether exist when using template policies
2076421 - Can't select existing placement for policy or policyset when editing policy or policyset
2076494 - No policyreport CR for spoke clusters generated in the disconnected env
2076502 - The policyset card doesn't show the cluster status(violation/without violation) again after deleted one policy
2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator
2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster
2077291 - Prometheus doesn't display acm_managed_cluster_info after upgrade from 2.4 to 2.5
2077304 - Create Cluster button is disabled only if other clusters exist
2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5
2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI
2077751 - Can't create a template policy from UI when the object's name is referring Golang text template syntax in this policy
2077783 - Still show violation for clusterserviceversions after enforced "Detect Image vulnerabilities " policy template and the operator is installed
2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set
2078164 - Failed to edit a policy without placement
2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement
2078373 - Disable the hyperlink of ks node in standalone MCE environment since the search component was not exists
2078617 - Azure public credential details get pre-populated with base domain name in UI
2078952 - View pod logs in search details returns error
2078973 - Crashed pod is marked with success in Topology
2079013 - Changing existing placement rules does not change YAML file
2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM
2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on
2079494 - Hitting Enter in yaml editor caused unexpected keys "key00x:" to be created
2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5
2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page
2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted
2079615 - Edit appset placement in UI with a new placement throws error upon submitting
2079658 - Cluster Count is Incorrect in Application UI
2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower
2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters
2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role
2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
2080503 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes
2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page
2080712 - Select an existing placement configuration does not work
2080776 - Unrecognized characters are displayed on policy and policy set yaml editors
2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster
2081810 - Type '-' character in Name field caused previously typed character backspaced in in the name field of policy wizard
2081829 - Application deployed on local cluster's topology is crashing after upgrade
2081938 - The deleted policy still be shown on the policyset review page when edit this policy set
2082226 - Object Storage Topology includes residue of resources after Upgrade
2082409 - Policy set details panel remains even after the policy set has been deleted
2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets
2083038 - Warning still refers to the klusterlet-addon-appmgr
pod rather than the application-manager
pod
2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated
2083434 - The provider-credential-controller did not support the RHV credentials type
2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace
2083870 - When editing an existing application and refreshing the Select an existing placement configuration
, multiple occurrences of the placementrule gets displayed
2084034 - The status message looks messy in the policy set card, suggest one kind status one a row
2084158 - Support provisioning bm cluster where no provisioning network provided
2084622 - Local Helm application shows cluster resources as Not Deployed
in Topology [Upgrade]
2085083 - Policies fail to copy to cluster namespace after ACM upgrade
2085237 - Resources referenced by a channel are not annotated with backup label
2085273 - Error querying for ansible job in app topology
2085281 - Template name error is reported but the template name was found in a different replicated policy
2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page
2087515 - Validation thrown out in configuration for disconnect install while creating bm credential
2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade]
2088511 - Some cluster resources are not showing labels that are defined in the YAML
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202112-1852", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-12-27t07-23-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2021-12-27t07-23-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "\u003c2021-12-27t07-23-18z", "scope": null, "trust": 0.6, "vendor": "minio", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" } ], "trust": 0.2 }, "cve": "CVE-2021-43858", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CVE-2021-43858", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CNVD-2022-08921", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "id": "CVE-2021-43858", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "OTHER", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "JVNDB-2021-017335", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-43858", "trust": 1.0, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-43858", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-43858", "trust": 0.8, "value": "High" }, { "author": "CNVD", "id": "CNVD-2022-08921", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202112-2635", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-43858", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. MinIO Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server of MinIO (Minio) company in the United States. The product supports building infrastructure for machine learning, analytics, and application data workloads. Patch with version number RELEASE. No detailed vulnerability details are currently available. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes\nAdvisory ID: RHSA-2022:0735-01\nProduct: Red Hat ACM\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:0735\nIssue date: 2022-03-03\nCVE Names: CVE-2021-3521 CVE-2021-3712 CVE-2021-3807 \n CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 \n CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 \n CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 \n CVE-2021-22963 CVE-2021-41089 CVE-2021-41091 \n CVE-2021-42574 CVE-2021-43565 CVE-2021-43816 \n CVE-2021-43858 CVE-2022-0185 CVE-2022-0235 \n CVE-2022-24407 CVE-2022-24450 \n=====================================================================\n\n1. Summary:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.2 General\nAvailability\nrelease images. This update provides security fixes, fixes bugs, and\nupdates the container images. \n\nRed Hat Product Security has rated this update as having a security impact\nof\nImportant. \n\n2. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.4.2 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. \n\nThis advisory contains the container images for Red Hat Advanced Cluster\nManagement for Kubernetes, which provide some security fixes and bug fixes. \nSee the following Release Notes documentation, which will be updated\nshortly for this release, for additional details about this release:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/\n\nSecurity updates:\n\n* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)\n\n* containerd: Unprivileged pod may bind mount any privileged regular file\non disk (CVE-2021-43816)\n\n* minio-go: user privilege escalation in AddUser() admin API\n(CVE-2021-43858)\n\n* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching\nANSI escape codes (CVE-2021-3807)\n\n* fastify-static: open redirect via an URL with double slash followed by a\ndomain (CVE-2021-22963)\n\n* moby: `docker cp` allows unexpected chmod of host file (CVE-2021-41089)\n\n* moby: data directory contains subdirectories with insufficiently\nrestricted permissions, which could lead to directory traversal\n(CVE-2021-41091)\n\n* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)\n\n* node-fetch: Exposure of Sensitive Information to an Unauthorized Actor\n(CVE-2022-0235)\n\n* nats-server: misusing the \"dynamically provisioned sandbox accounts\"\nfeature authenticated user can obtain the privileges of the System account\n(CVE-2022-24450)\n\nBug fixes:\n\n* Trying to create a new cluster on vSphere and no feedback, stuck in\n\"creating\" (Bugzilla #1937078)\n\n* The hyperlink of *ks cluster node cannot be opened when I want to check\nthe node (Bugzilla #2028100)\n\n* Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196)\n\n* RHACM cannot deploy Helm Charts with version numbers starting with\nletters (e.g. v1.6.1) (Bugzilla #2028931)\n\n* RHACM 2.4.2 images (Bugzilla #2029506)\n\n* Git Application still appears in Application Table and Resources are\nStill Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0\n(Bugzilla #2030005)\n\n* Namespace left orphaned after destroying the cluster (Bugzilla #2030379)\n\n* The results filtered through the filter contain some data that should not\nbe present in cluster page (Bugzilla #2034198)\n\n* Git over ssh doesn\u0027t use custom port set in url (Bugzilla #2036057)\n\n* The value of name label changed from clusterclaim name to cluster name\n(Bugzilla #2042223)\n\n* ACM configuration policies do not handle Limitrange or Quotas values\n(Bugzilla #2042545)\n\n* Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6\n(Bugzilla #2050847)\n\n* The azure government regions were not list in the region drop down list\nwhen creating the cluster (Bugzilla #2051797)\n\n3. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown:\n2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes\n2008592 - CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file\n2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when\n2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain\n2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal\n2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability\n2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node\n2028196 - Unable to make SSH connection to a Bitbucket server\n2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1)\n2029506 - RHACM 2.4.2 images\n2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0\n2030379 - Namespace left orphaned after destroying the cluster\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2032957 - Missing AWX templates in ACM\n2034198 - The results filtered through the filter contain some data that should not be present in cluster page\n2036057 - git over ssh doesn\u0027t use custom port set in url\n2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API\n2039378 - Deploying CRD via Application does not update status in ACM console\n2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool\n2042545 - ACM configuration policies do not handle Limitrange or Quotas values\n2043519 - \"apps.open-cluster-management.io/git-branch\" annotation should be mandatory\n2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk\n2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor\n2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6\n2051797 - the azure government regions were not list in the region drop down list when create the cluster\n2052573 - CVE-2022-24450 nats-server: misusing the \"dynamically provisioned sandbox accounts\" feature authenticated user can obtain the privileges of the System account\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3521\nhttps://access.redhat.com/security/cve/CVE-2021-3712\nhttps://access.redhat.com/security/cve/CVE-2021-3807\nhttps://access.redhat.com/security/cve/CVE-2021-3872\nhttps://access.redhat.com/security/cve/CVE-2021-3918\nhttps://access.redhat.com/security/cve/CVE-2021-3984\nhttps://access.redhat.com/security/cve/CVE-2021-4019\nhttps://access.redhat.com/security/cve/CVE-2021-4034\nhttps://access.redhat.com/security/cve/CVE-2021-4122\nhttps://access.redhat.com/security/cve/CVE-2021-4155\nhttps://access.redhat.com/security/cve/CVE-2021-4192\nhttps://access.redhat.com/security/cve/CVE-2021-4193\nhttps://access.redhat.com/security/cve/CVE-2021-22963\nhttps://access.redhat.com/security/cve/CVE-2021-41089\nhttps://access.redhat.com/security/cve/CVE-2021-41091\nhttps://access.redhat.com/security/cve/CVE-2021-42574\nhttps://access.redhat.com/security/cve/CVE-2021-43565\nhttps://access.redhat.com/security/cve/CVE-2021-43816\nhttps://access.redhat.com/security/cve/CVE-2021-43858\nhttps://access.redhat.com/security/cve/CVE-2022-0185\nhttps://access.redhat.com/security/cve/CVE-2022-0235\nhttps://access.redhat.com/security/cve/CVE-2022-24407\nhttps://access.redhat.com/security/cve/CVE-2022-24450\nhttps://access.redhat.com/security/updates/classification/#important\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYiE9otzjgjWX9erEAQi0Ew/9EGNefP8TLEdc6Vq3zNtj01fnV0K4Crgi\nsgKVOx1PYO+xFfdJKXwN/dg4kCMZ5kXPzf+6BNudmEIjDxvl7/khvWnXfgXXX5Ml\n7/7vAzSkHETk63ZS8WJuXKXrfs56jEnNVpi86DgsjYcPocXmKk93OST0UlBV+Qec\nQjepL6X/khbKb3nCFBgSmejW2XWmqUNZ/XFOmrUtxxMyJ1PJTKmmpSIwWNy0uz9M\nvIECOhYPR9cOzF8NNQ5rby4/s7NyHnxLTWJcoUCNjCpJc7o7AswbQHjceLU3gX+b\nwkqNt7t7cEiBMvOdhRKWOyjVZ7hI8CbplRdJga52NsqhZtVMGXatK06DtTlPp4E4\nRUo+gO2ipbld2KlFydBF/Rohm4xls9yzYt6uGaxH+HW75hLJLNyDPYitZptvuWAT\nBJFVTguNuLw9M8dk7vnbGCHZGJSz0GAKW53kx7SGe4DFcFpUtfUPua1ZLdAyuz9y\najYfbvvr4G34hxl6H/ovFzd5ydrSZpOtP43jWSBiySYRe5oOCWupp5vt3TwJOWsT\nac6t4q350GEcUNRin99AGVv7Ch1Herrs+oVl4wd4jmtpHe35q2sOW4HlFhEOfsqa\nGy4qDhuSxvfie0ONHVAQylj7XsRdLfClRhWCT0YmZyXcZlbELom99aDapDO8Hioa\neqF6R05B/GE=\n=IaEk\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. (BZ# 2033339)\n\n* Restore/backup shows up as Validation failed but the restore backup\nstatus in ACM shows success (BZ# 2034279)\n\n* Observability - OCP 311 node role are not displayed completely (BZ#\n2038650)\n\n* Documented uninstall procedure leaves many leftovers (BZ# 2041921)\n\n* infrastructure-operator pod crashes due to insufficient privileges in ACM\n2.5 (BZ# 2046554)\n\n* Acm failed to install due to some missing CRDs in operator (BZ# 2047463)\n\n* Navigation icons no longer showing in ACM 2.5 (BZ# 2051298)\n\n* ACM home page now includes /home/ in url (BZ# 2051299)\n\n* proxy heading in Add Credential should be capitalized (BZ# 2051349)\n\n* ACM 2.5 tries to create new MCE instance when install on top of existing\nMCE 2.0 (BZ# 2051983)\n\n* Create Policy button does not work and user cannot use console to create\npolicy (BZ# 2053264)\n\n* No cluster information was displayed after a policyset was created (BZ#\n2053366)\n\n* Dynamic plugin update does not take effect in Firefox (BZ# 2053516)\n\n* Replicated policy should not be available when creating a Policy Set (BZ#\n2054431)\n\n* Placement section in Policy Set wizard does not reset when users click\n\"Back\" to re-configured placement (BZ# 2054433)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target\n2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability\n2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion\n2028224 - RHACM 2.5.0 images\n2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?)\n2028647 - Clusters are in \u0027Degraded\u0027 status with upgrade env due to obs-controller not working properly\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2033339 - create cluster pool -\u003e choose infra type , As a result infra providers disappear from UI. \n2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub\n2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO\n2073355 - Get blank page when click policy with unknown status in Governance -\u003e Overview page\n2073508 - Thread responsible to get insights data from *ks clusters is broken\n2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters\n2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology\n2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin\n2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of \"resource conflict\" error\n2074178 - Editing Helm Argo Applications does not Prune Old Resources\n2074626 - Policy placement failure during ZTP SNO scale test\n2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store\n2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal\n2074937 - UI allows creating cluster even when there are no ClusterImageSets\n2075416 - infraEnv failed to create image after restore\n2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod\n2075739 - The lookup function won\u0027t check the referred resource whether exist when using template policies\n2076421 - Can\u0027t select existing placement for policy or policyset when editing policy or policyset\n2076494 - No policyreport CR for spoke clusters generated in the disconnected env\n2076502 - The policyset card doesn\u0027t show the cluster status(violation/without violation) again after deleted one policy\n2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator\n2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster\n2077291 - Prometheus doesn\u0027t display acm_managed_cluster_info after upgrade from 2.4 to 2.5\n2077304 - Create Cluster button is disabled only if other clusters exist\n2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5\n2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI\n2077751 - Can\u0027t create a template policy from UI when the object\u0027s name is referring Golang text template syntax in this policy\n2077783 - Still show violation for clusterserviceversions after enforced \"Detect Image vulnerabilities \" policy template and the operator is installed\n2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set\n2078164 - Failed to edit a policy without placement\n2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement\n2078373 - Disable the hyperlink of *ks node in standalone MCE environment since the search component was not exists\n2078617 - Azure public credential details get pre-populated with base domain name in UI\n2078952 - View pod logs in search details returns error\n2078973 - Crashed pod is marked with success in Topology\n2079013 - Changing existing placement rules does not change YAML file\n2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM\n2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on\n2079494 - Hitting Enter in yaml editor caused unexpected keys \"key00x:\" to be created\n2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5\n2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page\n2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted\n2079615 - Edit appset placement in UI with a new placement throws error upon submitting\n2079658 - Cluster Count is Incorrect in Application UI\n2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower\n2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters\n2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role\n2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses\n2080503 - vSphere network name doesn\u0027t allow entering spaces and doesn\u0027t reflect YAML changes\n2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page\n2080712 - Select an existing placement configuration does not work\n2080776 - Unrecognized characters are displayed on policy and policy set yaml editors\n2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster\n2081810 - Type \u0027-\u0027 character in Name field caused previously typed character backspaced in in the name field of policy wizard\n2081829 - Application deployed on local cluster\u0027s topology is crashing after upgrade\n2081938 - The deleted policy still be shown on the policyset review page when edit this policy set\n2082226 - Object Storage Topology includes residue of resources after Upgrade\n2082409 - Policy set details panel remains even after the policy set has been deleted\n2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets\n2083038 - Warning still refers to the `klusterlet-addon-appmgr` pod rather than the `application-manager` pod\n2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated\n2083434 - The provider-credential-controller did not support the RHV credentials type\n2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace\n2083870 - When editing an existing application and refreshing the `Select an existing placement configuration`, multiple occurrences of the placementrule gets displayed\n2084034 - The status message looks messy in the policy set card, suggest one kind status one a row\n2084158 - Support provisioning bm cluster where no provisioning network provided\n2084622 - Local Helm application shows cluster resources as `Not Deployed` in Topology [Upgrade]\n2085083 - Policies fail to copy to cluster namespace after ACM upgrade\n2085237 - Resources referenced by a channel are not annotated with backup label\n2085273 - Error querying for ansible job in app topology\n2085281 - Template name error is reported but the template name was found in a different replicated policy\n2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page\n2087515 - Validation thrown out in configuration for disconnect install while creating bm credential\n2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade]\n2088511 - Some cluster resources are not showing labels that are defined in the YAML\n\n5", "sources": [ { "db": "NVD", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-43858", "trust": 4.1 }, { "db": "JVNDB", "id": "JVNDB-2021-017335", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "166199", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2022-08921", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0903", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.2855", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202112-2635", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-43858", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "167459", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "id": "VAR-202112-1852", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" } ], "trust": 1.6 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" } ] }, "last_update_date": "2024-11-23T20:34:00.465000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security\u00a0Bugfix\u00a0Release GitHub", "trust": 0.8, "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "title": "Patch for Unknown Vulnerability in Minio MinIO", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/318121" }, { "title": "Minio MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176258" }, { "title": "Red Hat: CVE-2021-43858", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-43858" }, { "title": "Red Hat: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220735 - Security Advisory" }, { "title": "Red Hat: Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224956 - Security Advisory" }, { "title": "cve-2021-43858", "trust": 0.1, "url": "https://github.com/morhax/cve-2021-43858 " }, { "title": "", "trust": 0.1, "url": "https://github.com/soosmile/POC " }, { "title": "", "trust": 0.1, "url": "https://github.com/SYRTI/POC_to_review " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-863", "trust": 1.0 }, { "problemtype": "CWE-269", "trust": 1.0 }, { "problemtype": "Illegal authentication (CWE-863) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.3, "url": "https://github.com/minio/minio/pull/13976" }, { "trust": 1.7, "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-12-27t07-23-18z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-j6jc-jqqc-p6cx" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/7949" }, { "trust": 1.5, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43858" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.2855" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-privilege-escalation-via-http-api-call-updating-policy-37422" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0903" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/166199/red-hat-security-advisory-2022-0735-01.html" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2021-43858" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3918" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-43565" }, { "trust": 0.2, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-43816" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3918" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-24450" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-0235" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/863.html" }, { "trust": 0.1, "url": "https://github.com/morhax/cve-2021-43858" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3872" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3521" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4034" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4034" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4019" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4155" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4122" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3872" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4192" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0235" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3712" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22963" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3984" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22963" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3984" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4193" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24407" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24450" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0185" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3807" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43565" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-42574" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0185" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4155" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41091" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4193" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42574" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41089" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41089" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41091" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3807" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43816" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4192" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0735" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3712" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4019" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24407" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3521" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3752" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4157" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3669" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3744" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13974" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-45485" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3773" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4002" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-29154" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43976" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-0941" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43389" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3634" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27820" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4189" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-44733" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3752" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21781" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3634" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3772" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-19131" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3773" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4037" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29154" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-37159" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-4788" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3772" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-0404" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3669" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3764" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-20322" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3743" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43056" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3612" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3764" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37159" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41864" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-27191" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4197" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-0941" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3612" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-26401" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21803" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24778" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-27820" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3743" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3737" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1011" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13974" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20322" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4083" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-45486" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0322" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-4788" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3737" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-26401" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4157" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0286" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0001" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41190" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3759" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4083" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24785" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23806" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41190" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3759" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4037" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-29810" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-4002" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-21781" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0002" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4203" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3744" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:4956" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-19131" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0778" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42739" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-0404" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2022-08921" }, { "db": "VULMON", "id": "CVE-2021-43858" }, { "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "db": "PACKETSTORM", "id": "166199" }, { "db": "PACKETSTORM", "id": "167459" }, { "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-09T00:00:00", "db": "CNVD", "id": "CNVD-2022-08921" }, { "date": "2021-12-27T00:00:00", "db": "VULMON", "id": "CVE-2021-43858" }, { "date": "2023-01-17T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "date": "2022-03-04T16:03:16", "db": "PACKETSTORM", "id": "166199" }, { "date": "2022-06-09T16:11:52", "db": "PACKETSTORM", "id": "167459" }, { "date": "2021-12-27T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "date": "2021-12-27T22:15:07.703000", "db": "NVD", "id": "CVE-2021-43858" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-02-09T00:00:00", "db": "CNVD", "id": "CNVD-2022-08921" }, { "date": "2022-08-09T00:00:00", "db": "VULMON", "id": "CVE-2021-43858" }, { "date": "2023-01-17T02:37:00", "db": "JVNDB", "id": "JVNDB-2021-017335" }, { "date": "2022-08-10T00:00:00", "db": "CNNVD", "id": "CNNVD-202112-2635" }, { "date": "2024-11-21T06:29:56.750000", "db": "NVD", "id": "CVE-2021-43858" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-2635" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Fraud related to unauthorized authentication in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-017335" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202112-2635" } ], "trust": 0.6 } }
var-202303-0929
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin
permissions can potentially create a user that matches the root credential accessKey
. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via mc admin policy set
. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is tampered with and service operation is interrupted (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-0929", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2020-12-23t02-24-12z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-13t19-46-17z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2020-12-23t02-24-12z that\u0027s all 2023-03-13t19-46-17z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-13t19-46-17z", "versionStartIncluding": "2020-12-23t02-24-12z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-27589" } ] }, "cve": "CVE-2023-27589", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 1.2, "impactScore": 5.2, "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 6.5, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2023-27589", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "High", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-27589", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2023-27589", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202303-1092", "trust": 0.6, "value": "MEDIUM" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is tampered with and service operation is interrupted (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "VULMON", "id": "CVE-2023-27589" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-27589", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005403", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1092", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-27589", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "id": "VAR-202303-0929", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:48:11.973000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=229736" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16803" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-9wfv-wmf7-6753" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27589" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-27589/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-27589" }, { "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "db": "NVD", "id": "CVE-2023-27589" }, { "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-14T00:00:00", "db": "VULMON", "id": "CVE-2023-27589" }, { "date": "2023-11-08T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "date": "2023-03-14T19:15:10.547000", "db": "NVD", "id": "CVE-2023-27589" }, { "date": "2023-03-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-15T00:00:00", "db": "VULMON", "id": "CVE-2023-27589" }, { "date": "2023-11-08T03:19:00", "db": "JVNDB", "id": "JVNDB-2023-005403" }, { "date": "2023-03-21T14:16:35.477000", "db": "NVD", "id": "CVE-2023-27589" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1092" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005403" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1092" } ], "trust": 0.6 } }
var-202102-0960
Vulnerability from variot
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202102-0960", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-01-30t00-20-58z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-01-30t00-20-58z" }, { "model": "minio", "scope": null, "trust": 0.6, "vendor": "minio", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "cve": "CVE-2021-21287", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "nvd@nist.gov", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CVE-2021-21287", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "CNVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "id": "CNVD-2021-19696", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.1, "id": "CVE-2021-21287", "impactScore": 4.0, "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "OTHER", "availabilityImpact": "None", "baseScore": 7.7, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "JVNDB-2021-003153", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "Low", "scope": "Changed", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-21287", "trust": 1.0, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21287", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-21287", "trust": 0.8, "value": "High" }, { "author": "CNVD", "id": "CNVD-2021-19696", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202102-009", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-21287", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with \"MINIO_BROWSER=off\" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads", "sources": [ { "db": "NVD", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" } ], "trust": 2.25 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21287", "trust": 3.1 }, { "db": "JVNDB", "id": "JVNDB-2021-003153", "trust": 0.8 }, { "db": "CNVD", "id": "CNVD-2021-19696", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202102-009", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21287", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "id": "VAR-202102-0960", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" } ] }, "last_update_date": "2024-11-23T22:54:54.546000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Security\u00a0Bug\u00a0Fix\u00a0Release GitHub", "trust": 0.8, "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "title": "Patch for MinIO cross-site request forgery vulnerability", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/254121" }, { "title": "Minio MinIO Fixes for code issue vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140428" }, { "title": "Arch Linux Advisories: [ASA-202102-10] minio: directory traversal", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202102-10" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-21287 log" }, { "title": "Cloud-Native-Security2", "trust": 0.1, "url": "https://github.com/reni2study/Cloud-Native-Security2 " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-918", "trust": 1.0 }, { "problemtype": "Server-side request forgery (CWE-918) [ Other ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21287" }, { "trust": 1.7, "url": "https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11337" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-01-30t00-20-58z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-m4qq-5f7c-693q" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/918.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://security.archlinux.org/asa-202102-10" }, { "trust": 0.1, "url": "https://security.archlinux.org/cve-2021-21287" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-19696" }, { "db": "VULMON", "id": "CVE-2021-21287" }, { "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "db": "CNNVD", "id": "CNNVD-202102-009" }, { "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-21T00:00:00", "db": "CNVD", "id": "CNVD-2021-19696" }, { "date": "2021-02-01T00:00:00", "db": "VULMON", "id": "CVE-2021-21287" }, { "date": "2021-10-19T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "date": "2021-02-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202102-009" }, { "date": "2021-02-01T18:15:13.890000", "db": "NVD", "id": "CVE-2021-21287" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-21T00:00:00", "db": "CNVD", "id": "CNVD-2021-19696" }, { "date": "2021-02-05T00:00:00", "db": "VULMON", "id": "CVE-2021-21287" }, { "date": "2021-10-19T08:04:00", "db": "JVNDB", "id": "JVNDB-2021-003153" }, { "date": "2021-02-09T00:00:00", "db": "CNNVD", "id": "CNNVD-202102-009" }, { "date": "2024-11-21T05:47:56.277000", "db": "NVD", "id": "CVE-2021-21287" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202102-009" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Server-side Request Forgery Vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-003153" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code problem", "sources": [ { "db": "CNNVD", "id": "CNNVD-202102-009" } ], "trust": 0.6 } }
var-202204-0667
Vulnerability from variot
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z
. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount
deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202204-0667", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-04-12t06-55-35z" }, { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2021-12-09t06-19-41z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2021-12-09t06-19-41z that\u0027s all 2022-04-12t06-55-35z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-04-12t06-55-35z", "versionStartIncluding": "2021-12-09t06-19-41z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-24842" } ] }, "cve": "CVE-2022-24842", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 8.0, "impactScore": 10.0, "integrityImpact": "COMPLETE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "Complete", "baseScore": 9.0, "confidentialityImpact": "Complete", "exploitabilityScore": null, "id": "CVE-2022-24842", "impactScore": null, "integrityImpact": "Complete", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "High", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2022-24842", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-24842", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2022-24842", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202204-3225", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2022-24842", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "VULMON", "id": "CVE-2022-24842" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-24842", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2022-008408", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2022062921", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202204-3225", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2022-24842", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "id": "VAR-202204-0667", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:00.588000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=190450" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 }, { "problemtype": "others (CWE-Other) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-2j69-jjmg-534q" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/14729" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24842" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-24842/" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022062921" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2022-24842" }, { "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "db": "NVD", "id": "CVE-2022-24842" }, { "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-04-12T00:00:00", "db": "VULMON", "id": "CVE-2022-24842" }, { "date": "2023-07-26T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "date": "2022-04-12T18:15:09.690000", "db": "NVD", "id": "CVE-2022-24842" }, { "date": "2022-04-12T00:00:00", "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-04-23T00:00:00", "db": "VULMON", "id": "CVE-2022-24842" }, { "date": "2023-07-26T08:26:00", "db": "JVNDB", "id": "JVNDB-2022-008408" }, { "date": "2023-07-06T13:51:44.233000", "db": "NVD", "id": "CVE-2022-24842" }, { "date": "2023-07-07T00:00:00", "db": "CNNVD", "id": "CNNVD-202204-3225" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-008408" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202204-3225" } ], "trust": 0.6 } }
var-202103-0605
Vulnerability from variot
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with Content-Type: multipart/form-data
as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. MinIO Exists in an authorization vulnerability.Information may be tampered with
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0605", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2021-03-04t00-53-13z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2021-03-04t00-53-13z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2021-03-04t00-53-13z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-21362" } ] }, "cve": "CVE-2021-21362", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "exploitabilityScore": 8.0, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "None", "baseScore": 4.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21362", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 2.8, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.1, "impactScore": 4.0, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 6.5, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-21362", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-21362", "trust": 1.8, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-21362", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202103-562", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-21362", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary \u0027mc share upload\u0027 URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. MinIO Exists in an authorization vulnerability.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "VULMON", "id": "CVE-2021-21362" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-21362", "trust": 2.5 }, { "db": "JVNDB", "id": "JVNDB-2021-004351", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202103-562", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-21362", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "id": "VAR-202103-0605", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:42:39.439000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "missing\u00a0user\u00a0policy\u00a0enforcement\u00a0in\u00a0PostPolicyHandler\u00a0(#11682)", "trust": 0.8, "url": "https://github.com/minio/minio/releases/tag/release.2021-03-04t00-53-13z" }, { "title": "MinIO Remediation measures for authorization problem vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=144156" }, { "title": "Arch Linux Advisories: [ASA-202103-5] minio: access restriction bypass", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202103-5" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2021-21362 log" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-863", "trust": 1.0 }, { "problemtype": "Inappropriate authorization (CWE-285) [ Other ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482" }, { "trust": 1.7, "url": "https://github.com/minio/minio/pull/11682" }, { "trust": 1.7, "url": "https://github.com/minio/minio/releases/tag/release.2021-03-04t00-53-13z" }, { "trust": 1.7, "url": "https://github.com/minio/minio/security/advisories/ghsa-hq5j-6r98-9m8v" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21362" }, { "trust": 0.6, "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-redis-minio-golang-and-urllib3-affect-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-openshift/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/285.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://security.archlinux.org/asa-202103-5" }, { "trust": 0.1, "url": "https://security.archlinux.org/cve-2021-21362" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2021-21362" }, { "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "db": "NVD", "id": "CVE-2021-21362" }, { "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-08T00:00:00", "db": "VULMON", "id": "CVE-2021-21362" }, { "date": "2021-11-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "date": "2021-03-08T19:15:13.443000", "db": "NVD", "id": "CVE-2021-21362" }, { "date": "2021-03-08T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-03-12T00:00:00", "db": "VULMON", "id": "CVE-2021-21362" }, { "date": "2021-11-18T08:52:00", "db": "JVNDB", "id": "JVNDB-2021-004351" }, { "date": "2022-10-21T22:40:12.743000", "db": "NVD", "id": "CVE-2021-21362" }, { "date": "2022-10-24T00:00:00", "db": "CNNVD", "id": "CNNVD-202103-562" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-562" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO\u00a0 Authorization vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-004351" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "authorization issue", "sources": [ { "db": "CNNVD", "id": "CNNVD-202103-562" } ], "trust": 0.6 } }
var-202401-1568
Vulnerability from variot
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:*
actions, but also admin:*
actions. Which means unless somewhere above in the access-key hierarchy, the admin
rights are denied, access keys will be able to simply override their own s3
permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. Minio Inc. of Minio Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202401-1568", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "eq", "trust": 1.8, "vendor": "minio", "version": "2024-01-31t20-20-33z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "cve": "CVE-2024-24747", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2024-24747", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2024-24747", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2024-24747", "trust": 1.0, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. Minio Inc. of Minio Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "VULMON", "id": "CVE-2024-24747" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2024-24747", "trust": 2.7 }, { "db": "JVNDB", "id": "JVNDB-2024-002452", "trust": 0.8 }, { "db": "VULMON", "id": "CVE-2024-24747", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "id": "VAR-202401-1568", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-02-15T23:13:44.206000Z", "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-269", "trust": 1.0 }, { "problemtype": "Improper authority management (CWE-269) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.9, "url": "https://github.com/minio/minio/security/advisories/ghsa-xx8w-mq23-29g4" }, { "trust": 1.9, "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776" }, { "trust": 1.9, "url": "https://github.com/minio/minio/releases/tag/release.2024-01-31t20-20-33z" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2024-24747" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2024-24747" }, { "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-01-31T00:00:00", "db": "VULMON", "id": "CVE-2024-24747" }, { "date": "2024-02-14T00:00:00", "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "date": "2024-01-31T22:15:54.813000", "db": "NVD", "id": "CVE-2024-24747" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2024-02-01T00:00:00", "db": "VULMON", "id": "CVE-2024-24747" }, { "date": "2024-02-14T06:58:00", "db": "JVNDB", "id": "JVNDB-2024-002452" }, { "date": "2024-02-09T15:18:00.510000", "db": "NVD", "id": "CVE-2024-24747" } ] }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in privilege management in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2024-002452" } ], "trust": 0.8 } }
var-202303-1848
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket
. To carry out this attack, the attacker requires credentials with arn:aws:s3:::*
permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off
. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1848", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2023-03-20t20-16-18z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28434" } ] }, "cve": "CVE-2023-28434", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28434", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28434", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28434", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1792", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "VULMON", "id": "CVE-2023-28434" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28434", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005843", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1792", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28434", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "id": "VAR-202303-1848", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-06-26T23:18:41.829000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230916" }, { "title": "", "trust": 0.1, "url": "https://github.com/mr-xn/cve-2023-28434 " } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-2pxw-r47w-4p8c" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16849" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28434" }, { "trust": 0.8, "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28434/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/269.html" }, { "trust": 0.1, "url": "https://github.com/mr-xn/cve-2023-28434" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28434" }, { "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28434" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "date": "2023-03-22T21:15:18.427000", "db": "NVD", "id": "CVE-2023-28434" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28434" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005843" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1792" }, { "date": "2024-06-21T16:12:41.387000", "db": "NVD", "id": "CVE-2023-28434" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1792" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005843" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1792" } ], "trust": 0.6 } }
var-202110-0560
Vulnerability from variot
Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z
are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z
. A downgrade back to release RELEASE.2021-10-08T23-58-24Z
is available as a workaround.
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202110-0560", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "eq", "trust": 1.0, "vendor": "minio", "version": "2021-10-10t16-53-30z" } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "cve": "CVE-2021-41137", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.0, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-41137", "trust": 1.0, "value": "MEDIUM" }, { "author": "security-advisories@github.com", "id": "CVE-2021-41137", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202110-973", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.", "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ], "trust": 1.0 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-41137", "trust": 1.6 }, { "db": "CNNVD", "id": "CNNVD-202110-973", "trust": 0.6 } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "id": "VAR-202110-0560", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:12:22.924000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Minio Remediation measures for authorization problem vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=165635" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.6, "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/13388" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/13422" }, { "trust": 1.6, "url": "https://github.com/minio/minio/security/advisories/ghsa-v64v-g97p-577c" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41137" } ], "sources": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "NVD", "id": "CVE-2021-41137" }, { "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-10-13T14:15:07.827000", "db": "NVD", "id": "CVE-2021-41137" }, { "date": "2021-10-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-12T16:29:57.947000", "db": "NVD", "id": "CVE-2021-41137" }, { "date": "2022-08-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202110-973" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO Security hole", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202110-973" } ], "trust": 0.6 } }
var-202303-1729
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \
character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject
in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1729", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2023-03-20t20-16-18z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28433" } ] }, "cve": "CVE-2023-28433", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28433", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28433", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28433", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1793", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "VULMON", "id": "CVE-2023-28433" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28433", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005842", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1793", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28433", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "id": "VAR-202303-1729", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:41:34.735000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230917" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-w23q-4hw3-2pp6" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc" }, { "trust": 2.5, "url": "https://github.com/minio/minio/releases/tag/release.2023-03-20t20-16-18z" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28433" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28433/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/668.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28433" }, { "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "db": "NVD", "id": "CVE-2023-28433" }, { "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28433" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "date": "2023-03-22T21:15:18.340000", "db": "NVD", "id": "CVE-2023-28433" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28433" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005842" }, { "date": "2023-03-28T16:25:36.637000", "db": "NVD", "id": "CVE-2023-28433" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1793" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005842" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1793" } ], "trust": 0.6 } }
var-202111-1069
Vulnerability from variot
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. Minio console There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server from MinIO (Minio) in the United States. The product supports the construction of infrastructure for machine learning, analytics, and application data workloads.
Minio 0.12.2 and earlier versions have an access control error vulnerability. No detailed vulnerability details are currently provided
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202111-1069", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio console", "scope": "lt", "trust": 1.0, "vendor": "min", "version": "0.12.3" }, { "model": "console", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "console", "scope": "lte", "trust": 0.8, "vendor": "minio", "version": "0.12.2 and earlier" }, { "model": "minio", "scope": "lte", "trust": 0.6, "vendor": "minio", "version": "\u003c=0.12.2" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "cve": "CVE-2021-41266", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "id": "CVE-2021-41266", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 10.0, "id": "CNVD-2021-88205", "impactScore": 8.5, "integrityImpact": "PARTIAL", "severity": "HIGH", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:C/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "id": "CVE-2021-41266", "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "id": "CVE-2021-41266", "impactScore": 4.7, "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 9.8, "baseSeverity": "Critical", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2021-41266", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-41266", "trust": 1.0, "value": "CRITICAL" }, { "author": "security-advisories@github.com", "id": "CVE-2021-41266", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-41266", "trust": 0.8, "value": "Critical" }, { "author": "CNVD", "id": "CNVD-2021-88205", "trust": 0.6, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202111-1271", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2021-41266", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. Minio console There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server from MinIO (Minio) in the United States. The product supports the construction of infrastructure for machine learning, analytics, and application data workloads. \n\r\n\r\nMinio 0.12.2 and earlier versions have an access control error vulnerability. No detailed vulnerability details are currently provided", "sources": [ { "db": "NVD", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" } ], "trust": 2.25 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-41266", "trust": 3.9 }, { "db": "JVNDB", "id": "JVNDB-2021-014927", "trust": 0.8 }, { "db": "CNVD", "id": "CNVD-2021-88205", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202111-1271", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2021-41266", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "id": "VAR-202111-1069", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" } ], "trust": 0.06 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" } ] }, "last_update_date": "2024-11-23T21:33:29.621000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Fixed\u00a0broken\u00a0oauth2\u00a0login\u00a0for\u00a0operator\u00a0#1217 GitHub", "trust": 0.8, "url": "https://github.com/minio/console/pull/1217" }, { "title": "Patch for Minio access control error vulnerability", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchInfo/show/298151" }, { "title": "Minio Fixes for access control error vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=172335" }, { "title": "", "trust": 0.1, "url": "https://github.com/20142995/Goby " } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-306", "trust": 1.0 }, { "problemtype": "Lack of authentication for critical features (CWE-306) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41266" }, { "trust": 1.7, "url": "https://github.com/minio/console/pull/1217" }, { "trust": 1.7, "url": "https://github.com/minio/console/security/advisories/ghsa-4999-659w-mq36" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/306.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://github.com/20142995/goby" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "VULMON", "id": "CVE-2021-41266" }, { "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-11-17T00:00:00", "db": "CNVD", "id": "CNVD-2021-88205" }, { "date": "2021-11-15T00:00:00", "db": "VULMON", "id": "CVE-2021-41266" }, { "date": "2022-11-02T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "date": "2021-11-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "date": "2021-11-15T21:15:07.320000", "db": "NVD", "id": "CVE-2021-41266" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-11-17T00:00:00", "db": "CNVD", "id": "CNVD-2021-88205" }, { "date": "2021-11-19T00:00:00", "db": "VULMON", "id": "CVE-2021-41266" }, { "date": "2022-11-02T01:12:00", "db": "JVNDB", "id": "JVNDB-2021-014927" }, { "date": "2021-12-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202111-1271" }, { "date": "2024-11-21T06:25:55.447000", "db": "NVD", "id": "CVE-2021-41266" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio access control error vulnerability", "sources": [ { "db": "CNVD", "id": "CNVD-2021-88205" }, { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 1.2 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "access control error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202111-1271" } ], "trust": 0.6 } }
var-202208-0159
Vulnerability from variot
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for admin:ServerUpdate
can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the admin:ServerUpdate
action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202208-0159", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-07-29t19-40-48z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2022-07-29t19-40-48z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-07-29t19-40-48z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-35919" } ] }, "cve": "CVE-2022-35919", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "exploitabilityScore": 1.2, "impactScore": 1.4, "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "exploitabilityScore": 3.1, "impactScore": 3.7, "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 2.7, "baseSeverity": "Low", "confidentialityImpact": "Low", "exploitabilityScore": null, "id": "CVE-2022-35919", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "High", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-35919", "trust": 1.8, "value": "LOW" }, { "author": "security-advisories@github.com", "id": "CVE-2022-35919", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202208-1987", "trust": 0.6, "value": "LOW" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all \u0027admin\u0027 users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained", "sources": [ { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "VULMON", "id": "CVE-2022-35919" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-35919", "trust": 3.3 }, { "db": "PACKETSTORM", "id": "175010", "trust": 1.0 }, { "db": "JVNDB", "id": "JVNDB-2022-014251", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202208-1987", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2022-35919", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "id": "VAR-202208-0159", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:32:01.265000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Repair measures for path traversal vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=203876" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-22", "trust": 1.0 }, { "problemtype": "Path traversal (CWE-22) [ others ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/15429" }, { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-gr9v-6pcm-rqvg" }, { "trust": 1.0, "url": "http://packetstormsecurity.com/files/175010/minio-2022-07-29t19-40-48z-path-traversal.html" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-35919" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-35919/" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-file-reading-via-admin-serverupdate-39306" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/22.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2022-35919" }, { "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "db": "NVD", "id": "CVE-2022-35919" }, { "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-01T00:00:00", "db": "VULMON", "id": "CVE-2022-35919" }, { "date": "2023-09-15T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "date": "2022-08-01T22:15:10.280000", "db": "NVD", "id": "CVE-2022-35919" }, { "date": "2022-08-01T00:00:00", "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-08-02T00:00:00", "db": "VULMON", "id": "CVE-2022-35919" }, { "date": "2023-09-15T08:07:00", "db": "JVNDB", "id": "JVNDB-2022-014251" }, { "date": "2023-10-10T17:15:10.940000", "db": "NVD", "id": "CVE-2022-35919" }, { "date": "2022-09-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202208-1987" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Past traversal vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-014251" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "path traversal", "sources": [ { "db": "CNNVD", "id": "CNNVD-202208-1987" } ], "trust": 0.6 } }
var-202206-0648
Vulnerability from variot
MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients. Minio Inc. of Minio Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202206-0648", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2019-09-25t18-25-51z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2022-06-02t02-11-04z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2019-09-25t18-25-51z that\u0027s all 2022-06-02t02-11-04z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2022-06-02t02-11-04z", "versionStartIncluding": "2019-09-25t18-25-51z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-31028" } ] }, "cve": "CVE-2022-31028", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2022-31028", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2022-31028", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-31028", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2022-31028", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202206-636", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients. Minio Inc. of Minio Exists in a resource exhaustion vulnerability.Service operation interruption (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "JVNDB", "id": "JVNDB-2022-011042" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-31028", "trust": 3.2 }, { "db": "JVNDB", "id": "JVNDB-2022-011042", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2022060628", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202206-636", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "id": "VAR-202206-0648", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:00:47.036000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Remediation of resource management error vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=196270" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-400", "trust": 1.0 }, { "problemtype": "Resource exhaustion (CWE-400) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1" }, { "trust": 2.4, "url": "https://github.com/minio/minio/pull/14995" }, { "trust": 2.4, "url": "https://github.com/minio/minio/releases/tag/release.2022-06-03t01-40-53z" }, { "trust": 2.4, "url": "https://github.com/minio/minio/security/advisories/ghsa-qrpr-r3pw-f636" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31028" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/minio-overload-via-unclosed-connections-39307" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060628" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2022-31028/" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "db": "NVD", "id": "CVE-2022-31028" }, { "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-08-18T00:00:00", "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "date": "2022-06-07T16:15:07.760000", "db": "NVD", "id": "CVE-2022-31028" }, { "date": "2022-06-06T00:00:00", "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-08-18T08:21:00", "db": "JVNDB", "id": "JVNDB-2022-011042" }, { "date": "2022-06-14T14:40:02.617000", "db": "NVD", "id": "CVE-2022-31028" }, { "date": "2022-09-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202206-636" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Resource exhaustion vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2022-011042" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "resource management error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202206-636" } ], "trust": 0.6 } }
var-202004-2185
Vulnerability from variot
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202004-2185", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2020-04-23t00-58-49z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2020-04-23t00-58-49z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2020-04-23t00-58-49z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2020-11012" } ] }, "cve": "CVE-2020-11012", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-004949", "impactScore": null, "integrityImpact": "Partial", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "exploitabilityScore": 3.9, "impactScore": 4.7, "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "JVNDB-2020-004949", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2020-11012", "trust": 1.0, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2020-11012", "trust": 1.0, "value": "CRITICAL" }, { "author": "NVD", "id": "JVNDB-2020-004949", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-202004-2042", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with", "sources": [ { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "JVNDB", "id": "JVNDB-2020-004949" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2020-11012", "trust": 2.4 }, { "db": "JVNDB", "id": "JVNDB-2020-004949", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202004-2042", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "id": "VAR-202004-2185", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T13:37:49.133000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Top Page", "trust": 0.8, "url": "https://min.io/" }, { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-755", "trust": 1.0 }, { "problemtype": "CWE-287", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/9422" }, { "trust": 1.6, "url": "https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z" }, { "trust": 1.6, "url": "https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012\\" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "db": "NVD", "id": "CVE-2020-11012" }, { "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-06-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "date": "2020-04-23T22:15:12.833000", "db": "NVD", "id": "CVE-2020-11012" }, { "date": "2020-04-23T00:00:00", "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-06-03T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-004949" }, { "date": "2021-10-26T20:02:15.260000", "db": "NVD", "id": "CVE-2020-11012" }, { "date": "2021-10-27T00:00:00", "db": "CNNVD", "id": "CNNVD-202004-2042" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202004-2042" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "MinIO Authentication vulnerabilities in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-004949" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "authorization issue", "sources": [ { "db": "CNNVD", "id": "CNNVD-202004-2042" } ], "trust": 0.6 } }
var-202302-1690
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny
policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true
. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202302-1690", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-02-17t17-52-43z" }, { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2020-04-10t03-34-42z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2020-04-10t03-34-42z that\u0027s all 2023-02-17t17-52-43z" }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-02-17t17-52-43z", "versionStartIncluding": "2020-04-10t03-34-42z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-25812" } ] }, "cve": "CVE-2023-25812", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 2.8, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "security-advisories@github.com", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 2.5, "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 8.8, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-25812", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "Low", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-25812", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-25812", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202302-1719", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return \"Access Denied\" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state", "sources": [ { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "VULMON", "id": "CVE-2023-25812" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-25812", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-004685", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202302-1719", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-25812", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "id": "VAR-202302-1690", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:25:29.586000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Security vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=228040" } ], "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.5, "url": "https://github.com/minio/minio/security/advisories/ghsa-c8fc-mjj8-fc63" }, { "trust": 2.5, "url": "https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485" }, { "trust": 2.5, "url": "https://github.com/minio/minio/pull/16635" }, { "trust": 1.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-25812" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-25812/" }, { "trust": 0.1, "url": "https://nvd.nist.gov" } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-25812" }, { "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "db": "NVD", "id": "CVE-2023-25812" }, { "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-02-21T00:00:00", "db": "VULMON", "id": "CVE-2023-25812" }, { "date": "2023-11-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "date": "2023-02-21T21:15:11.507000", "db": "NVD", "id": "CVE-2023-25812" }, { "date": "2023-02-21T00:00:00", "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-02-22T00:00:00", "db": "VULMON", "id": "CVE-2023-25812" }, { "date": "2023-11-01T04:47:00", "db": "JVNDB", "id": "JVNDB-2023-004685" }, { "date": "2023-11-07T04:09:12.860000", "db": "NVD", "id": "CVE-2023-25812" }, { "date": "2023-03-08T00:00:00", "db": "CNNVD", "id": "CNNVD-202302-1719" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-004685" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202302-1719" } ], "trust": 0.6 } }
var-202303-1844
Vulnerability from variot
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD
, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information may be obtained
{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1844", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "gte", "trust": 1.0, "vendor": "minio", "version": "2019-12-17t23-16-33z" }, { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2023-03-20t20-16-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "2019-12-17t23-16-33z that\u0027s all 2023-03-20t20-16-18z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": null }, { "model": "minio", "scope": null, "trust": 0.8, "vendor": "minio", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2023-03-20t20-16-18z", "versionStartIncluding": "2019-12-17t23-16-33z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2023-28432" } ] }, "cve": "CVE-2023-28432", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2023-28432", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2023-28432", "trust": 1.8, "value": "HIGH" }, { "author": "security-advisories@github.com", "id": "CVE-2023-28432", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202303-1795", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`\nand `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information may be obtained", "sources": [ { "db": "NVD", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "VULMON", "id": "CVE-2023-28432" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2023-28432", "trust": 3.3 }, { "db": "JVNDB", "id": "JVNDB-2023-005841", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202303-1795", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2023-28432", "trust": 0.1 } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "id": "VAR-202303-1844", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2024-06-29T23:03:55.394000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "MinIO Repair measures for information disclosure vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230693" }, { "title": "", "trust": 0.1, "url": "https://github.com/atk7r/taichi " } ], "sources": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-noinfo", "trust": 1.0 }, { "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://github.com/minio/minio/releases/tag/release.2023-03-20t20-16-18z" }, { "trust": 2.4, "url": "https://github.com/minio/minio/security/advisories/ghsa-6xvq-wj2x-3h3q" }, { "trust": 2.4, "url": "https://twitter.com/andrew___morris/status/1639325397241278464" }, { "trust": 2.4, "url": "https://viz.greynoise.io/tag/minio-information-disclosure-attempt" }, { "trust": 2.4, "url": "https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28432" }, { "trust": 0.8, "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" }, { "trust": 0.6, "url": "https://cxsecurity.com/cveshow/cve-2023-28432/" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULMON", "id": "CVE-2023-28432" }, { "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-22T00:00:00", "db": "VULMON", "id": "CVE-2023-28432" }, { "date": "2023-11-10T00:00:00", "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "date": "2023-03-22T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "date": "2023-03-22T21:15:18.257000", "db": "NVD", "id": "CVE-2023-28432" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-03-23T00:00:00", "db": "VULMON", "id": "CVE-2023-28432" }, { "date": "2023-11-10T04:23:00", "db": "JVNDB", "id": "JVNDB-2023-005841" }, { "date": "2023-03-29T00:00:00", "db": "CNNVD", "id": "CNNVD-202303-1795" }, { "date": "2024-06-27T19:30:51.627000", "db": "NVD", "id": "CVE-2023-28432" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1795" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2023-005841" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "information disclosure", "sources": [ { "db": "CNNVD", "id": "CNNVD-202303-1795" } ], "trust": 0.6 } }
var-201806-0819
Vulnerability from variot
Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201806-0819", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "minio", "scope": "lt", "trust": 1.0, "vendor": "minio", "version": "2018-05-16t23-35-33z" }, { "model": "minio", "scope": "eq", "trust": 0.8, "vendor": "minio", "version": "release.2018-05-16t23-35-33z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-19t19-22-06z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-04t05-20-54z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-12t23-41-09z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-19t22-54-58z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-10t00-00-42z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-30t00-38-44z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-03-28t23-45-53z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-11t00-29-24z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-04-27t23-33-52z" }, { "model": "minio", "scope": "eq", "trust": 0.6, "vendor": "minio", "version": "2018-05-04t23-13-12z" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2018-05-16t23-35-33z", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2018-1000538" } ] }, "cve": "CVE-2018-1000538", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2018-1000538", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2018-1000538", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2018-1000538", "trust": 1.8, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-201806-1260", "trust": 0.6, "value": "MEDIUM" } ] } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests with large bodies . This vulnerability appears to have been fixed in after commit 9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7", "sources": [ { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "JVNDB", "id": "JVNDB-2018-006998" } ], "trust": 1.62 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2018-1000538", "trust": 2.4 }, { "db": "JVNDB", "id": "JVNDB-2018-006998", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-201806-1260", "trust": 0.6 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "id": "VAR-201806-0819", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VARIoT devices database", "id": null } ], "trust": 0.18899521 }, "last_update_date": "2023-12-18T12:36:44.963000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "security: fix write-to-RAM DoS vulnerability (#5957)", "trust": 0.8, "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bl220" }, { "title": "Minio S3 server Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81537" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-774", "trust": 1.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.6, "url": "https://github.com/minio/minio/commit/9c8b7306f55f2c8c0a5c7cea9a8db9d34be8faa7#diff-e8c3bc9bc83b5516d0cc806cd461d08bl220" }, { "trust": 1.6, "url": "https://github.com/minio/minio/pull/5957" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1000538" }, { "trust": 0.8, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000538" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "db": "NVD", "id": "CVE-2018-1000538" }, { "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2018-09-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "date": "2018-06-26T16:29:02.133000", "db": "NVD", "id": "CVE-2018-1000538" }, { "date": "2018-06-26T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2018-09-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2018-006998" }, { "date": "2018-08-23T16:38:01.727000", "db": "NVD", "id": "CVE-2018-1000538" }, { "date": "2018-06-28T00:00:00", "db": "CNNVD", "id": "CNNVD-201806-1260" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-1260" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Minio Inc. Minio S3 Vulnerability in server descriptors or unrestricted file descriptor or handle allocation", "sources": [ { "db": "JVNDB", "id": "JVNDB-2018-006998" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "lack of information", "sources": [ { "db": "CNNVD", "id": "CNNVD-201806-1260" } ], "trust": 0.6 } }