CVE-2020-11012 — Authentication bypass MinIO Admin API

Description

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

How to fix CVE-2020-11012

To remediate CVE-2020-11012, upgrade the affected package to a fixed version below.

—upgrade to 2020.04.23 or later

Is CVE-2020-11012 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2020.04.23

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

WEBgithub.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923
WEBgithub.com/minio/minio/pull/9422
WEBgithub.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z
WEBgithub.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w