GO-2025-3637 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS in github.com/minio/operator

Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS in github.com/minio/operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

CVE-2025-32963 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it...

CVE-2025-32963

MinIO Operator STS (Kubernetes IAM) flaw: before v7.1.0, the spec.audiences default could be the Kubernetes API server, allowing replay to internal systems. Root cause: unscoped audiences enable trust beyond intended scope. Impact: tokens could be replayed to other components; mitigated only by p...

GHSA-7M6V-Q233-Q9J9 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

Prevent token leakage / privilege escalation MinIO Operator STS: A Quick Overview MinIO Operator STS is a native IAM Authentication for Kubernetes. MinIO Operator offers support for Secure Tokens a.k.a. STS which are a form of temporary access credentials for your MinIO Tenant. In essence, this...

Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store objectstore crate, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity...

GHSA-C2HF-VCMR-QJRF Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store objectstore crate, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity...

CVE-2024-41178

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store objectstore crate, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity...

CVE-2024-41178 Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store objectstore crate, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity...

CVE-2024-41178

Apache Arrow Rust Object Store (object_store crate)

RUSTSEC-2024-0358 Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity. This allows someone with access to the logs t...