221 matches found
CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...
CVE-2023-28433
MinIO on Windows is affected by a privilege-escalation issue where the product fails to filter the backslash () character, enabling an attacker with low privileges (e.g., a limited PutObject key) to place objects across buckets and create an admin user. The concrete root cause is path separator h...
CVE-2023-28433 Minio Privilege Escalation on Windows via Path separator manipulation
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key,...
CVE-2023-28432
CVE-2023-28432 affects MinIO in cluster deployments from releases before RELEASE.2023-03-20T20-16-18Z, where MinIO may disclose all environment variables including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. The issue is triggered by an information-disclosure flaw in the bootstrap/verify flow, enab...
CVE-2023-28432 Minio Information Disclosure in Cluster Deployment
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD, resulting in information disclosure. All users of...
CVE-2023-28432
Last updated 21 August 2024...
Design/Logic Flaw
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...
CVE-2023-27589
Minio CVE-2023-27589 affects a privilege-management flaw in Minio’s consoleAdmin path: before patch, a user with consoleAdmin could create a user matching the root accessKey, causing the root credential to stop working. The issue is fixed in RELEASE.2023-03-13T19-46-17Z. There are workarounds to ...
CVE-2023-27589 Minio vulnerable to denial of access by an admin privileged user for root credential
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...
CVE-2023-27589 Minio vulnerable to denial of access by an admin privileged user for root credential
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...
CVE-2023-25812
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...
Design/Logic Flaw
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...
CVE-2023-25812
CVE-2023-25812 (Minio) affects Minio, a multi-cloud object storage framework. Affected versions fail to honor a Deny policy when receiving the header X-Amz-Bypass-Governance-Retention: true, allowing a request to delete a versionId under governance. The issue states that such requests are incorre...
CVE-2023-25812 Allowed DELETE on resources on object locked buckets under Governance mode in Minio
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...
CVE-2023-25812
Last updated 24 July 2024...
CIEM is Required for Cloud Security and IAM Providers to Compete: Gartner® Report
In an ongoing effort to help security organizations stay competitive, we’re pleased to offer this complimentary Gartner® report, Emerging Tech: CIEM Is Required for Cloud Security and IAM Providers to Compete. The research in the report demonstrates the need for Cloud Infrastructure Entitlement...
Real-Time Defense of Multi-Cloud Environments From Malicious Attacks and Threats
Organizations today cannot detect real-time threats at runtime due to the multi-cloud infrastructure, resulting in the possibility of malicious actors exploiting the environment. It is imperative for the modern organization to have a solution to detect advanced run-time threats in real-time to...
Announcing General Availability of Qualys TotalCloud
Qualys TotalCloud is a CNAPP solution based on Qualys Cloud Platform that provides multi-cloud vulnerability detection and misconfiguration response, and today we are pleased to announce that TotalCloud is now generally available. TotalCloud Home Page Unified View of Multi-Cloud Risk Posture...
The State of the Cloud 2023
Wiz's State of the Cloud 2023 report provides analysis of trends in cloud usage such as multi-cloud, use of managed services and more. In addition, the report highlights notable cloud risks based on insights from 30% of Fortune 100 enterprise cloud environments...
Cloud Security and Compliance Best Practices: Highlights From The CSA Cloud Controls Matrix
In a recent blog post, we highlighted the release of an InsightCloudSec compliance pack, that helps organizations establish and adhere to AWS Foundational Security Best Practices. While that’s a great pack for those who have standardized on AWS and are looking for a trusted set of controls to...