Количество 6
Количество 6
CVE-2025-62506
MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the at
CVE-2025-62506
MinIO is a high-performance object storage system. In all versions pri ...
GHSA-jjjj-jwhf-8rgr
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS
BDU:2025-13411
Уязвимость сервера хранения объектов MinIO, связанная с недостатками механизма авторизации, позволяющая нарушителю повысить свои привилегии
ROS-20251113-04
Уязвимость minio
ROS-20251113-03
Уязвимость minio-client
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2025-62506 MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing operations on their own account, specifically when creating new service accounts for the same user. The vulnerability exists in the IAM policy validation logic where the code incorrectly relied on the DenyOnly argument when validating session policies for restricted accounts. When a session policy is present, the system should validate that the action is allowed by the session policy, not just that it is not denied. An attacker with valid credentials for a restricted service or STS account can create a new service account for itself without policy restrictions, resulting in a new service account with full parent privileges instead of being restricted by the inline policy. This allows the at | CVSS3: 8.1 | 0% Низкий | 3 месяца назад |
| CVE-2025-62506 MinIO is a high-performance object storage system. In all versions pri ... | CVSS3: 8.1 | 0% Низкий | 3 месяца назад |
| GHSA-jjjj-jwhf-8rgr MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS | CVSS3: 8.1 | 0% Низкий | 3 месяца назад |
 | BDU:2025-13411 Уязвимость сервера хранения объектов MinIO, связанная с недостатками механизма авторизации, позволяющая нарушителю повысить свои привилегии | CVSS3: 8.1 | 0% Низкий | 3 месяца назад |
 | ROS-20251113-04 Уязвимость minio | CVSS3: 8.1 | 0% Низкий | 2 месяца назад |
| ROS-20251113-03 Уязвимость minio-client | CVSS3: 8.1 | 0% Низкий | 2 месяца назад |
Уязвимостей на страницу