#VU72488 Permissions, Privileges, and Access Controls in minio - CVE-2023-25812

Cybersecurity Help s.r.o.

Published: 2023-02-22

Vulnerability identifier: #VU72488

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-25812

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minio
Other software / Other software solutions

Vendor: minio.io

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not correctly honor a "Deny" policy on ByPassGoverance. A remote attacker can gain elevated privileges on the system and delete an object under governance.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

minio: 2020-04-10T03-34-42Z - 2023-02-10T18-48-39Z

External links
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
https://github.com/minio/minio/pull/16635

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Spectrum Protect Plus Container

Privilege escalation in Minio