Minio Security Vulnerabilities and Issues — Minio CVE List

Lucene search

MinioMinio

20 matches found

CVE•added 2024/12/16 8:15 p.m.•3721 views

CVE-2024-55949

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f. This issue has been addressed in commit f246c9053f9603e61...

9.3CVSS6.7AI score0.00192EPSS

CVE•added 2025/04/03 8:15 p.m.•1133 views

CVE-2025-31489

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on t...

8.7CVSS6.8AI score0.02099EPSS

CVE•added 2023/03/22 9:15 p.m.•608 views

CVE-2023-28432

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEYand MINIO_ROOT_PASSWORD, resulting in information disclosure. All users o...

7.5CVSS7.5AI score0.93931EPSS

In wildWeb

CVE•added 2023/03/22 9:15 p.m.•573 views

CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with ...

8.8CVSS8.6AI score0.33706EPSS

In wildWeb

CVE•added 2022/08/01 10:15 p.m.•407 views

CVE-2022-35919

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for admin:ServerUpdate can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow a...

7.4CVSS5.4AI score0.05737EPSS

Web

CVE•added 2023/03/22 9:15 p.m.•389 views

CVE-2023-28433

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, servic...

8.8CVSS8.4AI score0.00296EPSS

CVE•added 2024/05/28 7:15 p.m.•274 views

CVE-2024-36107

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. If-Modified-Since and If-Unmodified-Since headers when used with anonymous requests by sending a random object name requests can be used to determine if an object exists or not on the server on a speci...

5.3CVSS5AI score0.00138EPSS

CVE•added 2021/12/27 10:15 p.m.•155 views

CVE-2021-43858

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accep...

8.8CVSS8.5AI score0.46632EPSS

CVE•added 2021/03/08 7:15 p.m.•154 views

CVE-2021-21362

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses...

7.7CVSS6.6AI score0.00078EPSS

CVE•added 2024/01/31 10:15 p.m.•148 views

CVE-2024-24747

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:* actions, but also admin:* actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able t...

8.8CVSS8.2AI score0.24934EPSS

Web

CVE•added 2022/04/12 6:15 p.m.•140 views

CVE-2022-24842

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This ...

9CVSS8.7AI score0.00227EPSS

CVE•added 2025/02/28 9:15 p.m.•83 views

CVE-2025-27414

MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior toRELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP acce...

8.2CVSS7.1AI score0.00171EPSS

CVE•added 2020/04/23 10:15 p.m.•79 views

CVE-2020-11012

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been ...

9.3CVSS7.8AI score0.00075EPSS

CVE•added 2022/06/07 4:15 p.m.•72 views

CVE-2022-31028

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Publi...

7.5CVSS7.4AI score0.00647EPSS

CVE•added 2021/02/01 6:15 p.m.•68 views

CVE-2021-21287

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwi...

7.7CVSS7.5AI score0.92685EPSS

CVE•added 2021/03/19 4:15 p.m.•54 views

CVE-2021-21390

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed...

6.5CVSS5.6AI score0.00264EPSS

CVE•added 2023/03/14 7:15 p.m.•52 views

CVE-2023-27589

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root cred...

6.5CVSS6.3AI score0.00076EPSS

CVE•added 2023/02/21 9:15 p.m.•51 views

CVE-2023-25812

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was n...

8.8CVSS7.4AI score0.00107EPSS

CVE•added 2021/10/13 2:15 p.m.•50 views

CVE-2021-41137

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, poli...

8.8CVSS8.4AI score0.00437EPSS

CVE•added 2018/06/26 4:29 p.m.•46 views

CVE-2018-1000538

Minio Inc. Minio S3 server version prior to RELEASE.2018-05-16T23-35-33Z contains a Allocation of Memory Without Limits or Throttling (similar to CWE-774) vulnerability in write-to-RAM that can result in Denial of Service. This attack appear to be exploitable via Sending V4-(pre)signed requests wit...

7.5CVSS7.5AI score0.0028EPSS