#VU82277 Permissions, Privileges, and Access Controls in minio - CVE-2023-27589

Cybersecurity Help s.r.o.

Published: 2023-10-20

Vulnerability identifier: #VU82277

Vulnerability risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-27589

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minio
Other software / Other software solutions

Vendor: minio.io

Description

The vulnerability allows a remote privileged user to bypass security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`

Mitigation
Install updates from vendor's website.

Vulnerable software versions

minio: before 2023-03-13T19-46-17Z

External links
https://github.com/minio/minio/pull/16803
https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift