cvelistv5 - cve-2020-11012

CVE-2020-11012 (GCVE-0-2020-11012)

Vulnerability from cvelistv5 – Published: 2020-04-23 21:55 – Updated: 2024-08-04 11:21

Summary

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE

CWE-305 - Authentication Bypass by Primary Weakness

Assigner

GitHub_M

References

URL

Tags

	https://github.com/minio/minio/security/advisorie…	x_refsource_CONFIRM
	https://github.com/minio/minio/pull/9422	x_refsource_MISC
	https://github.com/minio/minio/commit/4cd6ca02c79…	x_refsource_MISC
	https://github.com/minio/minio/releases/tag/RELEA…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	MinIO	minio	Affected: < RELEASE.2020-04-23T00-58-49Z

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:21:14.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/pull/9422"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minio",
          "vendor": "MinIO",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c RELEASE.2020-04-23T00-58-49Z"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-305",
              "description": "CWE-305: Authentication Bypass by Primary Weakness",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-23T21:55:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/pull/9422"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
        }
      ],
      "source": {
        "advisory": "GHSA-xv4r-vccv-mg4w",
        "discovery": "UNKNOWN"
      },
      "title": "Authentication bypass MinIO Admin API",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11012",
          "STATE": "PUBLIC",
          "TITLE": "Authentication bypass MinIO Admin API"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "minio",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c RELEASE.2020-04-23T00-58-49Z"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "MinIO"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-305: Authentication Bypass by Primary Weakness"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
              "refsource": "CONFIRM",
              "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
            },
            {
              "name": "https://github.com/minio/minio/pull/9422",
              "refsource": "MISC",
              "url": "https://github.com/minio/minio/pull/9422"
            },
            {
              "name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
              "refsource": "MISC",
              "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
            },
            {
              "name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
              "refsource": "MISC",
              "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-xv4r-vccv-mg4w",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11012",
    "datePublished": "2020-04-23T21:55:14",
    "dateReserved": "2020-03-30T00:00:00",
    "dateUpdated": "2024-08-04T11:21:14.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2020-04-23t00-58-49z\", \"matchCriteriaId\": \"31CB1B2A-7802-446D-8D09-53DF944D7444\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.\"}, {\"lang\": \"es\", \"value\": \"MinIO versiones anteriores a la versi\\u00f3n  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\\u00f3n de autenticaci\\u00f3n en la API de administraci\\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\\u00f3n RELEASE.2020-04-23T00-58-49Z.\"}]",
      "id": "CVE-2020-11012",
      "lastModified": "2024-11-21T04:56:34.820",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-23T22:15:12.833",
      "references": "[{\"url\": \"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/pull/9422\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/pull/9422\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-305\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-755\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-11012\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-23T22:15:12.833\",\"lastModified\":\"2024-11-21T04:56:34.820\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.\"},{\"lang\":\"es\",\"value\":\"MinIO versiones anteriores a la versi\u00f3n  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\u00f3n de autenticaci\u00f3n en la API de administraci\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\u00f3n RELEASE.2020-04-23T00-58-49Z.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-305\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2020-04-23t00-58-49z\",\"matchCriteriaId\":\"31CB1B2A-7802-446D-8D09-53DF944D7444\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/pull/9422\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/pull/9422\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2020-11012

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-11012

Aliases

CVE-2020-11012

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-11012",
    "description": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
    "id": "GSD-2020-11012"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-11012"
      ],
      "details": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
      "id": "GSD-2020-11012",
      "modified": "2023-12-13T01:22:06.140816Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11012",
        "STATE": "PUBLIC",
        "TITLE": "Authentication bypass MinIO Admin API"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "minio",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c RELEASE.2020-04-23T00-58-49Z"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "MinIO"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-305: Authentication Bypass by Primary Weakness"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
            "refsource": "CONFIRM",
            "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
          },
          {
            "name": "https://github.com/minio/minio/pull/9422",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/pull/9422"
          },
          {
            "name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
          },
          {
            "name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xv4r-vccv-mg4w",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cRELEASE.2020-04-23T00-58-49Z",
          "affected_versions": "All versions before 2020-04-23t00-58-49z",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-755",
            "CWE-937"
          ],
          "date": "2021-10-26",
          "description": "MinIO has an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations, i.e., creating new service accounts for existing access keys without knowing the admin secret key.",
          "fixed_versions": [
            "RELEASE.2020-04-23T00-58-49Z"
          ],
          "identifier": "CVE-2020-11012",
          "identifiers": [
            "CVE-2020-11012",
            "GHSA-xv4r-vccv-mg4w"
          ],
          "not_impacted": "All versions starting from RELEASE.2020-04-23T00-58-49Z",
          "package_slug": "go/github.com/minio/minio",
          "pubdate": "2020-04-23",
          "solution": "Upgrade to version RELEASE.2020-04-23T00-58-49Z or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-11012"
          ],
          "uuid": "216192fe-2efa-4c52-addd-4bf3522c2b69",
          "versions": [
            {
              "commit": {
                "sha": "343fedadbb481420c5b9f1a4328c12b203d777f9",
                "tags": [
                  "RELEASE.2020-04-23T00-58-49Z"
                ],
                "timestamp": "20200423010658"
              },
              "number": "RELEASE.2020-04-23T00-58-49Z"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2020-04-23t00-58-49z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11012"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-755"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
            },
            {
              "name": "https://github.com/minio/minio/pull/9422",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/minio/minio/pull/9422"
            },
            {
              "name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
            },
            {
              "name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-10-26T20:02Z",
      "publishedDate": "2020-04-23T22:15Z"
    }
  }
}

FKIE_CVE-2020-11012

Vulnerability from fkie_nvd - Published: 2020-04-23 22:15 - Updated: 2024-11-21 04:56

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/pull/9422	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/pull/9422	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	minio	minio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "31CB1B2A-7802-446D-8D09-53DF944D7444",
              "versionEndExcluding": "2020-04-23t00-58-49z",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."
    },
    {
      "lang": "es",
      "value": "MinIO versiones anteriores a la versi\u00f3n  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\u00f3n de autenticaci\u00f3n en la API de administraci\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\u00f3n RELEASE.2020-04-23T00-58-49Z."
    }
  ],
  "id": "CVE-2020-11012",
  "lastModified": "2024-11-21T04:56:34.820",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-23T22:15:12.833",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/pull/9422"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/pull/9422"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-305"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-755"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-31480

Vulnerability from cnvd - Published: 2021-04-27

Title

MinIO授权问题漏洞

Description

MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO RELEASE.2020-04-23T00-58-49Z之前版本中的MinIO admin API存在授权问题漏洞。攻击者可利用该漏洞无需密钥便可执行未授权的操作，例如为已存在的访问密钥创建服务账户。

Severity

中

Patch Name

MinIO授权问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-11012

Impacted products

Name
MinIO MinIO <RELEASE.2020-04-23T00-58-49Z

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-11012"
    }
  },
  "description": "MinIO\u662f\u7f8e\u56fdMinIO\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u6784\u5efa\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u3001\u5206\u6790\u548c\u5e94\u7528\u7a0b\u5e8f\u6570\u636e\u5de5\u4f5c\u8d1f\u8f7d\u7684\u57fa\u7840\u67b6\u6784\u3002\n\nMinIO RELEASE.2020-04-23T00-58-49Z\u4e4b\u524d\u7248\u672c\u4e2d\u7684MinIO admin API\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u65e0\u9700\u5bc6\u94a5\u4fbf\u53ef\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u4f8b\u5982\u4e3a\u5df2\u5b58\u5728\u7684\u8bbf\u95ee\u5bc6\u94a5\u521b\u5efa\u670d\u52a1\u8d26\u6237\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-31480",
  "openTime": "2021-04-27",
  "patchDescription": "MinIO\u662f\u7f8e\u56fdMinIO\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u6784\u5efa\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u3001\u5206\u6790\u548c\u5e94\u7528\u7a0b\u5e8f\u6570\u636e\u5de5\u4f5c\u8d1f\u8f7d\u7684\u57fa\u7840\u67b6\u6784\u3002\r\n\r\nMinIO RELEASE.2020-04-23T00-58-49Z\u4e4b\u524d\u7248\u672c\u4e2d\u7684MinIO admin API\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u65e0\u9700\u5bc6\u94a5\u4fbf\u53ef\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u4f8b\u5982\u4e3a\u5df2\u5b58\u5728\u7684\u8bbf\u95ee\u5bc6\u94a5\u521b\u5efa\u670d\u52a1\u8d26\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "MinIO\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "MinIO MinIO \u003cRELEASE.2020-04-23T00-58-49Z"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-11012",
  "serverity": "\u4e2d",
  "submitTime": "2020-04-24",
  "title": "MinIO\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

VAR-202004-2185

Vulnerability from variot - Updated: 2023-12-18 13:37

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202004-2185",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "minio",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "minio",
        "version": "2020-04-23t00-58-49z"
      },
      {
        "model": "minio",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "minio",
        "version": "release.2020-04-23t00-58-49z"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2020-04-23t00-58-49z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      }
    ]
  },
  "cve": "CVE-2020-11012",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004949",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "security-advisories@github.com",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 3.9,
            "impactScore": 4.7,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-004949",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-11012",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "security-advisories@github.com",
            "id": "CVE-2020-11012",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-004949",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202004-2042",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      }
    ],
    "trust": 1.62
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-11012",
        "trust": 2.4
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "id": "VAR-202004-2185",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.18899521
  },
  "last_update_date": "2023-12-18T13:37:49.133000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://min.io/"
      },
      {
        "title": "MinIO Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-755",
        "trust": 1.0
      },
      {
        "problemtype": "CWE-287",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
      },
      {
        "trust": 1.6,
        "url": "https://github.com/minio/minio/pull/9422"
      },
      {
        "trust": 1.6,
        "url": "https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z"
      },
      {
        "trust": 1.6,
        "url": "https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012\\"
      },
      {
        "trust": 0.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "date": "2020-04-23T22:15:12.833000",
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "date": "2020-04-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-03T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      },
      {
        "date": "2021-10-26T20:02:15.260000",
        "db": "NVD",
        "id": "CVE-2020-11012"
      },
      {
        "date": "2021-10-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "MinIO Authentication vulnerabilities in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-004949"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202004-2042"
      }
    ],
    "trust": 0.6
  }
}

GHSA-XV4R-VCCV-MG4W

Vulnerability from github – Published: 2021-05-24 21:13 – Updated: 2021-12-20 18:07

Summary

MinIO Admin API security issue

Details

During an internal security audit, we detected an authentication bypass issue in the MinIO admin API. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.

Impact

Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys without knowing the admin secret key. This security issue was found during a regular internal security audit.

Patches

This issue was fixed by @vadmeste in PR https://github.com/minio/minio/pull/9422

Binary Download

Please download the latest server binary that contains the fix from

Platform	Architecture	URL
Apple macOS	64-bit Intel	https://dl.min.io/server/minio/release/darwin-amd64/minio
GNU/Linux	64-bit Intel	https://dl.min.io/server/minio/release/linux-amd64/minio
Microsoft Windows	64-bit	https://dl.min.io/server/minio/release/windows-amd64/minio.exe

Docker Container Download

docker pull minio/minio:RELEASE.2020-04-23T00-58-49Z

Questions

If you have any questions or comments regarding this advisory please reach out to us any of the following means.

If you are a community user minio/minio
Email us at security@min.io
If you are a paid customer please open an issue at https://subnet.min.io

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-11012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-305",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-23T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "During an internal security audit, we detected an authentication bypass issue in the MinIO admin API. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.\n\n### Impact\nGiven an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys without knowing the admin secret key. This security issue was found during a regular internal security audit. \n\n### Patches\nThis issue was fixed by @vadmeste in PR https://github.com/minio/minio/pull/9422 \n\n### Binary Download\nPlease download the latest server binary that contains the fix from\n\n| Platform    | Architecture | URL                                                       |\n| ----------  | --------     | ------                                                    |\n| Apple macOS | 64-bit Intel | https://dl.min.io/server/minio/release/darwin-amd64/minio |\n| GNU/Linux  | 64-bit Intel | https://dl.min.io/server/minio/release/linux-amd64/minio |\n| Microsoft Windows | 64-bit       | https://dl.min.io/server/minio/release/windows-amd64/minio.exe |\n\n### Docker Container Download\n```\ndocker pull minio/minio:RELEASE.2020-04-23T00-58-49Z\n```\n\n### Questions\nIf you have any questions or comments regarding this advisory please reach out to us any of the following means.\n\n- If you are a community user [minio/minio](https://github.com/minio/minio/issues)\n- Email us at [security@min.io](mailto:security@min.io)\n- If you are a paid customer please open an issue at https://subnet.min.io",
  "id": "GHSA-xv4r-vccv-mg4w",
  "modified": "2021-12-20T18:07:48Z",
  "published": "2021-05-24T21:13:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11012"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/9422"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MinIO Admin API security issue"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-11012 (GCVE-0-2020-11012)

GSD-2020-11012

FKIE_CVE-2020-11012

CNVD-2021-31480

VAR-202004-2185

GHSA-XV4R-VCCV-MG4W

Impact

Patches

Binary Download

Docker Container Download

Questions

Tags

Sightings

Nomenclature