9.3
CVE-2020-11012
- EPSS 2.1%
- Veröffentlicht 23.04.2020 22:15:12
- Zuletzt bearbeitet 21.11.2024 04:56:34
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAuthentication bypass MinIO Admin API
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.1% | 0.793 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
| security-advisories@github.com | 9.3 | 3.9 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
|
CWE-305 Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
CWE-755 Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.
https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923
https://github.com/minio/minio/pull/9422
https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z
https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w