Permissions, Privileges, and Access Controls in minio

#VU82277 Permissions, Privileges, and Access Controls in minio

Published: 2023-10-20

Vulnerability identifier: #VU82277

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-27589

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minio
Other software / Other software solutions

Vendor:

Description

The vulnerability allows a remote privileged user to bypass security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://github.com/minio/minio/pull/16803
http://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift