CVE-2023-27589

CVSS v2.0

7.7

High

Vector

AV:N/AC:L/Au:M/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions Minio versions RELEASE.2020-12-23T02-24-12Z through RELEASE.2023-03-13T19-46-17Z

Description The issue is related to a user with consoleAdmin permissions potentially creating a user that matches the root credential accessKey. Once this user is created successfully, the root credential ceases to work appropriately. Exploitation of this issue may allow a remote attacker to disable access to the root credentials.

Recommendations For versions RELEASE.2020-12-23T02-24-12Z through RELEASE.2023-03-13T19-46-17Z, update to RELEASE.2023-03-13T19-46-17Z or later to resolve the issue. As a temporary workaround, consider adding higher privileges to the disabled root user via mc admin policy set.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2023-1522

ALT-PU-2023-1908

ALT-PU-2023-2074

ALT-PU-2024-17529

BDU:2023-02148

BIT-MINIO-2023-27589

CVE-2023-27589

GHSA-9WFV-WMF7-6753

Affected Products

Alt Linux

Minio

Red Os

CVE-2023-27589

Weakness Enumeration

Related Identifiers

Affected Products

References · 19