CVE-2025-27414

Name of the Vulnerable Software and Affected Versions MinIO versions RELEASE.2024-06-06T09-36-42Z through RELEASE.2025-02-28T09-55-16Z

Description A bug in MinIO's evaluation of the trust of the SSH key used in an SFTP connection allows authentication bypass and unauthorized data access. This issue affects MinIO servers with SFTP access configured and using LDAP as an external identity provider. When a user has no sshPublicKey property in LDAP, the server trusts the client's key, allowing the client to perform FTP operations allowed by the MinIO access policies associated with the LDAP user or their groups. To exploit this issue, an attacker must know an LDAP username without the sshPublicKey property, and this username or one of their groups must have a MinIO access policy configured. Successful exploitation allows the attacker to perform FTP operations such as reading, writing, deleting, and listing objects, as allowed by the access policy.

Recommendations For versions RELEASE.2024-06-06T09-36-42Z through RELEASE.2025-02-28T09-55-16Z, update to version 1.2.0 to fix the issue. As a temporary workaround, consider restricting access to SFTP connections for users without the sshPublicKey property set in their LDAP server, or limit the MinIO access policies associated with these users and their groups.