CVE-2020-11012

EPSS 0.19%
Veröffentlicht 23.04.2020 22:15:12
Zuletzt bearbeitet 21.11.2024 04:56:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Minio ≫ Minio Version < 2020-04-23t00-58-49z

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.413

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
security-advisories@github.com	9.3	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923

Patch

Third Party Advisory

https://github.com/minio/minio/pull/9422

Third Party Advisory

https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z

Third Party Advisory

https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w

Patch

Third Party Advisory