#VU80422 Improper access control in minio
Vulnerability identifier: #VU80422
Vulnerability risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
minio
Other software /
Other software solutions
Vendor: minio.io
Description
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user with "arn:aws:s3:::*" permission and enabled Console API access can bypass metadata bucket name checking and put an object into any bucket while processing "PostPolicyBucket".
Mitigation
Install updates from vendor's website.
Vulnerable software versions
minio: 2019-12-17T23-16-33Z - 2023-03-13T19-46-17Z
External links
http://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
http://github.com/minio/minio/pull/16849
http://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
