CVE-2023-25812

Опубликовано: 21 фев. 2023

Источник: nvd

CVSS3: 6.5

CVSS3: 8.8

EPSS Низкий

Описание

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.

Ссылки

https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
Patch
https://github.com/minio/minio/pull/16635
Issue Tracking
Patch
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63
Exploit
Vendor Advisory
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
Patch
https://github.com/minio/minio/pull/16635
Issue Tracking
Patch
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

Версия от 2020-04-10t03-34-42z (включая) до 2023-02-17t17-52-43z (исключая)

EPSS

Процентиль: 42%

0.00201

Низкий

6.5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-281

NVD-CWE-noinfo

Связанные уязвимости

CVE-2023-25812

CVSS3: 6.5

debian

около 3 лет назад

Minio is a Multi-Cloud Object Storage framework. Affected versions do ...

BDU:2023-01857

CVSS3: 8.8

fstec

около 3 лет назад

Уязвимость сервера хранения объектов MinIO, связана с ошибками при сохранении разрешений, позволяющая нарушителю удалить управляемый объект

ROS-20230317-03

CVSS3: 8.8

redos

около 3 лет назад

Уязвимость Minio

EPSS

Процентиль: 42%

0.00201

Низкий

6.5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-281

NVD-CWE-noinfo