cvelistv5 - cve-2020-11012

CVE-2020-11012 (GCVE-0-2020-11012)

Vulnerability from cvelistv5

Published

2020-04-23 21:55

Modified

2024-08-04 11:21

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Summary

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

References

URL	Tags
security-advisories@github.com	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/pull/9422	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/pull/9422	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	MinIO	minio	Version: < RELEASE.2020-04-23T00-58-49Z

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T11:21:14.522Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/pull/9422",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "minio",
               vendor: "MinIO",
               versions: [
                  {
                     status: "affected",
                     version: "< RELEASE.2020-04-23T00-58-49Z",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 9.3,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-305",
                     description: "CWE-305: Authentication Bypass by Primary Weakness",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2020-04-23T21:55:14",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/minio/minio/pull/9422",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
            },
         ],
         source: {
            advisory: "GHSA-xv4r-vccv-mg4w",
            discovery: "UNKNOWN",
         },
         title: "Authentication bypass MinIO Admin API",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2020-11012",
               STATE: "PUBLIC",
               TITLE: "Authentication bypass MinIO Admin API",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "minio",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< RELEASE.2020-04-23T00-58-49Z",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "MinIO",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 9.3,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "LOW",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-305: Authentication Bypass by Primary Weakness",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
                     refsource: "CONFIRM",
                     url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
                  },
                  {
                     name: "https://github.com/minio/minio/pull/9422",
                     refsource: "MISC",
                     url: "https://github.com/minio/minio/pull/9422",
                  },
                  {
                     name: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
                     refsource: "MISC",
                     url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
                  },
                  {
                     name: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
                     refsource: "MISC",
                     url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
                  },
               ],
            },
            source: {
               advisory: "GHSA-xv4r-vccv-mg4w",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2020-11012",
      datePublished: "2020-04-23T21:55:14",
      dateReserved: "2020-03-30T00:00:00",
      dateUpdated: "2024-08-04T11:21:14.522Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2020-04-23t00-58-49z\", \"matchCriteriaId\": \"31CB1B2A-7802-446D-8D09-53DF944D7444\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.\"}, {\"lang\": \"es\", \"value\": \"MinIO versiones anteriores a la versi\\u00f3n  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\\u00f3n de autenticaci\\u00f3n en la API de administraci\\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\\u00f3n RELEASE.2020-04-23T00-58-49Z.\"}]",
         id: "CVE-2020-11012",
         lastModified: "2024-11-21T04:56:34.820",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
         published: "2020-04-23T22:15:12.833",
         references: "[{\"url\": \"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/pull/9422\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/pull/9422\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
         sourceIdentifier: "security-advisories@github.com",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-305\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-755\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2020-11012\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-23T22:15:12.833\",\"lastModified\":\"2024-11-21T04:56:34.820\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.\"},{\"lang\":\"es\",\"value\":\"MinIO versiones anteriores a la versión  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisión de autenticación en la API de administración de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versión RELEASE.2020-04-23T00-58-49Z.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-305\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2020-04-23t00-58-49z\",\"matchCriteriaId\":\"31CB1B2A-7802-446D-8D09-53DF944D7444\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/pull/9422\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/pull/9422\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
   },
}

gsd-2020-11012

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2020-11012

Aliases

CVE-2020-11012

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2020-11012",
      description: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
      id: "GSD-2020-11012",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2020-11012",
         ],
         details: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
         id: "GSD-2020-11012",
         modified: "2023-12-13T01:22:06.140816Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security-advisories@github.com",
            ID: "CVE-2020-11012",
            STATE: "PUBLIC",
            TITLE: "Authentication bypass MinIO Admin API",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "minio",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "< RELEASE.2020-04-23T00-58-49Z",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "MinIO",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
               },
            ],
         },
         impact: {
            cvss: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 9.3,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "LOW",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
               version: "3.1",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-305: Authentication Bypass by Primary Weakness",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
                  refsource: "CONFIRM",
                  url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
               },
               {
                  name: "https://github.com/minio/minio/pull/9422",
                  refsource: "MISC",
                  url: "https://github.com/minio/minio/pull/9422",
               },
               {
                  name: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
                  refsource: "MISC",
                  url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
               },
               {
                  name: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
                  refsource: "MISC",
                  url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
               },
            ],
         },
         source: {
            advisory: "GHSA-xv4r-vccv-mg4w",
            discovery: "UNKNOWN",
         },
      },
      "gitlab.com": {
         advisories: [
            {
               affected_range: "<RELEASE.2020-04-23T00-58-49Z",
               affected_versions: "All versions before 2020-04-23t00-58-49z",
               cvss_v2: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
               cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-755",
                  "CWE-937",
               ],
               date: "2021-10-26",
               description: "MinIO has an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations, i.e., creating new service accounts for existing access keys without knowing the admin secret key.",
               fixed_versions: [
                  "RELEASE.2020-04-23T00-58-49Z",
               ],
               identifier: "CVE-2020-11012",
               identifiers: [
                  "CVE-2020-11012",
                  "GHSA-xv4r-vccv-mg4w",
               ],
               not_impacted: "All versions starting from RELEASE.2020-04-23T00-58-49Z",
               package_slug: "go/github.com/minio/minio",
               pubdate: "2020-04-23",
               solution: "Upgrade to version RELEASE.2020-04-23T00-58-49Z or above.",
               title: "Improper Authentication",
               urls: [
                  "https://nvd.nist.gov/vuln/detail/CVE-2020-11012",
               ],
               uuid: "216192fe-2efa-4c52-addd-4bf3522c2b69",
               versions: [
                  {
                     commit: {
                        sha: "343fedadbb481420c5b9f1a4328c12b203d777f9",
                        tags: [
                           "RELEASE.2020-04-23T00-58-49Z",
                        ],
                        timestamp: "20200423010658",
                     },
                     number: "RELEASE.2020-04-23T00-58-49Z",
                  },
               ],
            },
         ],
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "2020-04-23t00-58-49z",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2020-11012",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-755",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
                  },
                  {
                     name: "https://github.com/minio/minio/pull/9422",
                     refsource: "MISC",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/minio/minio/pull/9422",
                  },
                  {
                     name: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
                     refsource: "CONFIRM",
                     tags: [
                        "Patch",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
                  },
                  {
                     name: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
                     refsource: "MISC",
                     tags: [
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               acInsufInfo: false,
               cvssV2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 10,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: false,
            },
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               exploitabilityScore: 3.9,
               impactScore: 3.6,
            },
         },
         lastModifiedDate: "2021-10-26T20:02Z",
         publishedDate: "2020-04-23T22:15Z",
      },
   },
}

var-202004-2185

Vulnerability from variot

Show details on source website

JSON

To clipboard

{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-202004-2185",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "minio",
            scope: "lt",
            trust: 1,
            vendor: "minio",
            version: "2020-04-23t00-58-49z",
         },
         {
            model: "minio",
            scope: "eq",
            trust: 0.8,
            vendor: "minio",
            version: "release.2020-04-23t00-58-49z",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "2020-04-23t00-58-49z",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
      ],
   },
   cve: "CVE-2020-11012",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  acInsufInfo: false,
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "NVD",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 10,
                  impactScore: 2.9,
                  integrityImpact: "PARTIAL",
                  obtainAllPrivilege: false,
                  obtainOtherPrivilege: false,
                  obtainUserPrivilege: false,
                  severity: "MEDIUM",
                  trust: 1,
                  userInteractionRequired: false,
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               {
                  acInsufInfo: null,
                  accessComplexity: "Low",
                  accessVector: "Network",
                  authentication: "None",
                  author: "NVD",
                  availabilityImpact: "None",
                  baseScore: 5,
                  confidentialityImpact: "None",
                  exploitabilityScore: null,
                  id: "JVNDB-2020-004949",
                  impactScore: null,
                  integrityImpact: "Partial",
                  obtainAllPrivilege: null,
                  obtainOtherPrivilege: null,
                  obtainUserPrivilege: null,
                  severity: "Medium",
                  trust: 0.8,
                  userInteractionRequired: null,
                  vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
            ],
            cvssV3: [
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  author: "NVD",
                  availabilityImpact: "NONE",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 3.9,
                  impactScore: 3.6,
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  trust: 1,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  author: "security-advisories@github.com",
                  availabilityImpact: "NONE",
                  baseScore: 9.3,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "LOW",
                  exploitabilityScore: 3.9,
                  impactScore: 4.7,
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  trust: 1,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
                  version: "3.1",
               },
               {
                  attackComplexity: "Low",
                  attackVector: "Network",
                  author: "NVD",
                  availabilityImpact: "None",
                  baseScore: 7.5,
                  baseSeverity: "High",
                  confidentialityImpact: "None",
                  exploitabilityScore: null,
                  id: "JVNDB-2020-004949",
                  impactScore: null,
                  integrityImpact: "High",
                  privilegesRequired: "None",
                  scope: "Unchanged",
                  trust: 0.8,
                  userInteraction: "None",
                  vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.0",
               },
            ],
            severity: [
               {
                  author: "NVD",
                  id: "CVE-2020-11012",
                  trust: 1,
                  value: "HIGH",
               },
               {
                  author: "security-advisories@github.com",
                  id: "CVE-2020-11012",
                  trust: 1,
                  value: "CRITICAL",
               },
               {
                  author: "NVD",
                  id: "JVNDB-2020-004949",
                  trust: 0.8,
                  value: "High",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-202004-2042",
                  trust: 0.6,
                  value: "HIGH",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with",
      sources: [
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
      ],
      trust: 1.62,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2020-11012",
            trust: 2.4,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
            trust: 0.8,
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
            trust: 0.6,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   id: "VAR-202004-2185",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "VARIoT devices database",
            id: null,
         },
      ],
      trust: 0.18899521,
   },
   last_update_date: "2023-12-18T13:37:49.133000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "Top Page",
            trust: 0.8,
            url: "https://min.io/",
         },
         {
            title: "MinIO Security vulnerabilities",
            trust: 0.6,
            url: "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-755",
            trust: 1,
         },
         {
            problemtype: "CWE-287",
            trust: 0.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.4,
            url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
         },
         {
            trust: 1.6,
            url: "https://github.com/minio/minio/pull/9422",
         },
         {
            trust: 1.6,
            url: "https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z",
         },
         {
            trust: 1.6,
            url: "https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w",
         },
         {
            trust: 0.8,
            url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012",
         },
         {
            trust: 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11012\\"
         },
         {
            trust: 0.6,
            url: "https://nvd.nist.gov/vuln/detail/cve-2020-11012",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2020-06-03T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            date: "2020-04-23T22:15:12.833000",
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            date: "2020-04-23T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2020-06-03T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
         {
            date: "2021-10-26T20:02:15.260000",
            db: "NVD",
            id: "CVE-2020-11012",
         },
         {
            date: "2021-10-27T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "MinIO Authentication vulnerabilities in",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2020-004949",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "authorization issue",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202004-2042",
         },
      ],
      trust: 0.6,
   },
}

ghsa-xv4r-vccv-mg4w

Vulnerability from github

Published

2021-05-24 21:13

Modified

2021-12-20 18:07

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Summary

MinIO Admin API security issue

Details

During an internal security audit, we detected an authentication bypass issue in the MinIO admin API. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.

Impact

Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys without knowing the admin secret key. This security issue was found during a regular internal security audit.

Patches

This issue was fixed by @vadmeste in PR https://github.com/minio/minio/pull/9422

Binary Download

Please download the latest server binary that contains the fix from

| Platform | Architecture | URL | | ---------- | -------- | ------ | | Apple macOS | 64-bit Intel | https://dl.min.io/server/minio/release/darwin-amd64/minio | | GNU/Linux | 64-bit Intel | https://dl.min.io/server/minio/release/linux-amd64/minio | | Microsoft Windows | 64-bit | https://dl.min.io/server/minio/release/windows-amd64/minio.exe |

Docker Container Download

docker pull minio/minio:RELEASE.2020-04-23T00-58-49Z

Questions

If you have any questions or comments regarding this advisory please reach out to us any of the following means.

If you are a community user minio/minio
Email us at security@min.io
If you are a paid customer please open an issue at https://subnet.min.io

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2020-11012",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-287",
         "CWE-305",
         "CWE-755",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2020-04-23T22:15:00Z",
      severity: "HIGH",
   },
   details: "During an internal security audit, we detected an authentication bypass issue in the MinIO admin API. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.\n\n### Impact\nGiven an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys without knowing the admin secret key. This security issue was found during a regular internal security audit. \n\n### Patches\nThis issue was fixed by @vadmeste in PR https://github.com/minio/minio/pull/9422 \n\n### Binary Download\nPlease download the latest server binary that contains the fix from\n\n| Platform    | Architecture | URL                                                       |\n| ----------  | --------     | ------                                                    |\n| Apple macOS | 64-bit Intel | https://dl.min.io/server/minio/release/darwin-amd64/minio |\n| GNU/Linux  | 64-bit Intel | https://dl.min.io/server/minio/release/linux-amd64/minio |\n| Microsoft Windows | 64-bit       | https://dl.min.io/server/minio/release/windows-amd64/minio.exe |\n\n### Docker Container Download\n```\ndocker pull minio/minio:RELEASE.2020-04-23T00-58-49Z\n```\n\n### Questions\nIf you have any questions or comments regarding this advisory please reach out to us any of the following means.\n\n- If you are a community user [minio/minio](https://github.com/minio/minio/issues)\n- Email us at [security@min.io](mailto:security@min.io)\n- If you are a paid customer please open an issue at https://subnet.min.io",
   id: "GHSA-xv4r-vccv-mg4w",
   modified: "2021-12-20T18:07:48Z",
   published: "2021-05-24T21:13:59Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2020-11012",
      },
      {
         type: "WEB",
         url: "https://github.com/minio/minio/pull/9422",
      },
      {
         type: "WEB",
         url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/minio/minio",
      },
      {
         type: "WEB",
         url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
         type: "CVSS_V3",
      },
   ],
   summary: "MinIO Admin API security issue",
}

fkie_cve-2020-11012

Vulnerability from fkie_nvd

Published

2020-04-23 22:15

Modified

2024-11-21 04:56

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/pull/9422	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/pull/9422	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	minio	minio	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "31CB1B2A-7802-446D-8D09-53DF944D7444",
                     versionEndExcluding: "2020-04-23t00-58-49z",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.",
      },
      {
         lang: "es",
         value: "MinIO versiones anteriores a la versión  RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisión de autenticación en la API de administración de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versión RELEASE.2020-04-23T00-58-49Z.",
      },
   ],
   id: "CVE-2020-11012",
   lastModified: "2024-11-21T04:56:34.820",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 9.3,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "LOW",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 4.7,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-04-23T22:15:12.833",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/pull/9422",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/pull/9422",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-305",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-755",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-11012 (GCVE-0-2020-11012)

Vulnerability from cvelistv5

gsd-2020-11012

Vulnerability from gsd

var-202004-2185

Vulnerability from variot

ghsa-xv4r-vccv-mg4w

Vulnerability from github

Impact

Patches

Binary Download

Docker Container Download

Questions

fkie_cve-2020-11012

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature