Allowed DELETE on resources on object locked buckets under Governance mode in Minio
CVE-2023-25812

6.5MEDIUM

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
21 February 2023

What is CVE-2023-25812?

The Minio Multi-Cloud Object Storage framework is affected by a vulnerability where the 'Deny' policy on governance is not properly enforced. Specifically, when users attempt to delete an object version using the header 'X-Amz-Bypass-Governance-Retention: true,' the system should return an 'Access Denied' response. Instead, this policy is ignored, allowing unauthorized deletion of objects that are under governance. Users are strongly urged to upgrade their systems, as no workarounds are available for this critical oversight.

Affected Version(s)

minio >= RELEASE.2020-04-10T03-34-42Z, < RELEASE.2023-02-17T17-52-43Z

References

https://github.com/minio/minio/security/advisories/GHSA-c...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/16635
x_refsource_MISC
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05a...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.