PT-2025-17524 · Minio · Minio Operator
Bburky
·
Published
2025-04-21
·
Updated
2025-04-23
·
CVE-2025-32963
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
MinIO Operator versions prior to 7.1.0
Description
The issue concerns the MinIO Operator STS, a native IAM Authentication for Kubernetes. Without proper scoping, authentication can be replayed to other internal systems that may unintentionally trust it. This occurs when no audiences are provided for the
spec.audiences field, defaulting to the Kubernetes apiserver.Recommendations
For versions prior to 7.1.0, update to version 7.1.0 to resolve the issue. As a temporary workaround, consider specifying audiences for the
spec.audiences field to prevent defaulting to the Kubernetes apiserver.Exploit
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Minio Operator