CVE-2022-35919

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions MinIO (affected versions not specified)

Description The issue affects MinIO, a High Performance Object Storage, where admin users authorized for admin:ServerUpdate can trigger an error that returns the content of the requested path. This allows access to contents at arbitrary paths readable by the MinIO process.

Recommendations For all affected versions, users are advised to upgrade. As a temporary workaround, consider disabling the ServerUpdate API by denying the admin:ServerUpdate action for admin users via IAM policies.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2022-3382

ALT-PU-2023-1522

ALT-PU-2023-1908

ALT-PU-2023-2074

ALT-PU-2024-17529

BIT-MINIO-2022-35919

CVE-2022-35919

GHSA-GR9V-6PCM-RQVG

Affected Products

Alt Linux

Minio

CVE-2022-35919

Weakness Enumeration

Related Identifiers

Affected Products

References · 19