CVE-2023-25812
Last modified
CVE-2023-25812 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. EPSS estimates a 0.95% chance of exploitation in the next 30 days.
Description
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Minio | Minio | >= 2020-04-10t03-34-42z, < 2023-02-17t17-52-43z |
References
- https://github.com/minio/minio/pull/16635Issue Tracking, Patch
- https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63Exploit, Vendor Advisory
- https://github.com/minio/minio/pull/16635Issue Tracking, Patch
- https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-25812?
How severe is CVE-2023-25812?
How do I fix CVE-2023-25812?
Are you affected by CVE-2023-25812?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST