7.5

CVE-2022-31028

Exploit

Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MinioMinio Version >= 2019-09-25t18-25-51z < 2022-06-02t02-11-04z
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.84% 0.848
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1
Third Party Advisory
Exploit
https://github.com/minio/minio/pull/14995
Patch
Third Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z
Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636
Third Party Advisory