CVE-2020-11012 - OpenCVE

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923
https://github.com/minio/minio/pull/9422
https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z
https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-04-23T21:55:14

Updated: 2024-08-04T11:21:14.522Z

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11012

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-23T22:15:12.833

Modified: 2021-10-26T20:02:15.260

Link: CVE-2020-11012

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "minio", "vendor": "MinIO", "versions": [{"status": "affected", "version": "< RELEASE.2020-04-23T00-58-49Z"}]}], "descriptions": [{"lang": "en", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-23T21:55:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/9422"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"}], "source": {"advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN"}, "title": "Authentication bypass MinIO Admin API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11012", "STATE": "PUBLIC", "TITLE": "Authentication bypass MinIO Admin API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "minio", "version": {"version_data": [{"version_value": "< RELEASE.2020-04-23T00-58-49Z"}]}}]}, "vendor_name": "MinIO"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-305: Authentication Bypass by Primary Weakness"}]}]}, "references": {"reference_data": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"}, {"name": "https://github.com/minio/minio/pull/9422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/9422"}, {"name": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"}]}, "source": {"advisory": "GHSA-xv4r-vccv-mg4w", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.522Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/9422"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11012", "datePublished": "2020-04-23T21:55:14", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.522Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "31CB1B2A-7802-446D-8D09-53DF944D7444", "versionEndExcluding": "2020-04-23t00-58-49z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z."}, {"lang": "es", "value": "MinIO versiones anteriores a la versi\u00f3n RELEASE.2020-04-23T00-58-49Z, tiene un problema de omisi\u00f3n de autenticaci\u00f3n en la API de administraci\u00f3n de MinIO. Dada una clave de acceso de administrador, es posible llevar a cabo operaciones de la API del administrador, es decir, crear nuevas cuentas de servicio para claves de acceso existentes, sin conocer la clave secreta del administrador. Esto se ha corregido y publicado en la versi\u00f3n RELEASE.2020-04-23T00-58-49Z."}], "id": "CVE-2020-11012", "lastModified": "2021-10-26T20:02:15.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-04-23T22:15:12.833", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/pull/9422"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-305"}], "source": "security-advisories@github.com", "type": "Secondary"}]}