CVE-2020-11012

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2020-04-23T00-58-49Z

Description The issue allows for an authentication bypass in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations, such as creating new service accounts for existing access keys, without knowing the admin secret key.

Recommendations For versions prior to RELEASE.2020-04-23T00-58-49Z, update to version RELEASE.2020-04-23T00-58-49Z or later to resolve the issue. As a temporary workaround, consider restricting access to the MinIO admin API to minimize the risk of exploitation.

Fix

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-755CWE-305

Related Identifiers

ALT-PU-2020-1889

BIT-MINIO-2020-11012

CVE-2020-11012

GHSA-XV4R-VCCV-MG4W

Affected Products

Alt Linux

Minio

CVE-2020-11012

Weakness Enumeration

Related Identifiers

Affected Products

References · 8