CVE-2022-31028 - OpenCVE

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1
https://github.com/minio/minio/pull/14995
https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z
https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-06-03T14:40:11

Updated: 2024-08-03T07:03:40.192Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31028

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-07T16:15:07.760

Modified: 2022-06-14T14:40:02.617

Link: CVE-2022-31028

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "minio", "vendor": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2019-09-25T18-25-51Z, < RELEASE.2022-06-02T02-11-04Z"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-03T14:40:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/14995"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"}], "source": {"advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN"}, "title": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31028", "STATE": "PUBLIC", "TITLE": "Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "minio", "version": {"version_data": [{"version_value": ">= RELEASE.2019-09-25T18-25-51Z, < RELEASE.2022-06-02T02-11-04Z"}]}}]}, "vendor_name": "minio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"}, {"name": "https://github.com/minio/minio/pull/14995", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/14995"}, {"name": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1", "refsource": "MISC", "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"}]}, "source": {"advisory": "GHSA-qrpr-r3pw-f636", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.192Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/14995"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31028", "datePublished": "2022-06-03T14:40:11", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:03:40.192Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "475F440D-67A1-4C71-9B3F-89AF627B3D4F", "versionEndExcluding": "2022-06-02t02-11-04z", "versionStartIncluding": "2019-09-25t18-25-51z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients."}, {"lang": "es", "value": "MinIO es una soluci\u00f3n de almacenamiento de objetos multi-nube. A partir de la versi\u00f3n RELEASE.2019-09-25T18-25-51Z y versiones hasta RELEASE.2022-06-02T02-11-04Z, MinIO es vulnerable a una acumulaci\u00f3n interminable de rutinas mientras mantiene las conexiones establecidas debido a que los clientes HTTP no cierran las conexiones. Los despliegues de MinIO de cara al p\u00fablico son los m\u00e1s afectados. Los usuarios deben actualizar a RELEASE.2022-06-02T02-11-04Z para recibir un parche. Una posible mitigaci\u00f3n es usar un proxy inverso para limitar el n\u00famero de conexiones que son intentadas delante de MinIO, y rechazar activamente las conexiones de estos clientes maliciosos"}], "id": "CVE-2022-31028", "lastModified": "2022-06-14T14:40:02.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-06-07T16:15:07.760", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/14995"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}