EUVD-2023-29705

Malicious code in bioql PyPI...

CVE-2023-27589

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...

BIT-MINIO-2023-25812 Allowed DELETE on resources on object locked buckets under Governance mode in Minio

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...

Code injection

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434

CVE-2023-28434 (MinIO) affects MinIO’s object storage framework. A security feature bypass allows an attacker with credentials for arn:aws:s3:::* and Console API access to bypass metadata bucket name checking during PostPolicyBucket and place objects into arbitrary buckets. This can impact confid...

CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28433 Minio Privilege Escalation on Windows via Path separator manipulation

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key,...

CVE-2023-28433

MinIO on Windows is affected by a privilege-escalation issue where the product fails to filter the backslash () character, enabling an attacker with low privileges (e.g., a limited PutObject key) to place objects across buckets and create an admin user. The concrete root cause is path separator h...

CVE-2023-28432

CVE-2023-28432 affects MinIO in cluster deployments from releases before RELEASE.2023-03-20T20-16-18Z, where MinIO may disclose all environment variables including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. The issue is triggered by an information-disclosure flaw in the bootstrap/verify flow, enab...

CVE-2023-27589 Minio vulnerable to denial of access by an admin privileged user for root credential

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...

CVE-2023-27589 Minio vulnerable to denial of access by an admin privileged user for root credential

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root...

CVE-2023-27589

Minio CVE-2023-27589 affects a privilege-management flaw in Minio’s consoleAdmin path: before patch, a user with consoleAdmin could create a user matching the root accessKey, causing the root credential to stop working. The issue is fixed in RELEASE.2023-03-13T19-46-17Z. There are workarounds to ...

Design/Logic Flaw

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...

CVE-2023-25812

CVE-2023-25812 (Minio) affects Minio, a multi-cloud object storage framework. Affected versions fail to honor a Deny policy when receiving the header X-Amz-Bypass-Governance-Retention: true, allowing a request to delete a versionId under governance. The issue states that such requests are incorre...

CVE-2023-25812 Allowed DELETE on resources on object locked buckets under Governance mode in Minio

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was...