SSH Key Authentication Bypass Vulnerability in MinIO Object Storage
CVE-2025-27414

4.6MEDIUM

Key Information:

Vendor
Minio
Status
Minio
Vendor
CVE Published:
28 February 2025

Summary

A vulnerability exists in MinIO's object storage solution where an error in the evaluation of SSH key trust allows unauthorized access. This occurs when SFTP connections are configured with LDAP as an identity provider, and users lack the 'sshPublicKey' attribute in LDAP. Successfully exploiting this weakness permits attackers to perform any file operations permitted by the ACL policies associated with the affected LDAP user or their groups. To exploit this, specific conditions must be met, including a configured SFTP access setup and knowledge of an LDAP username without the required SSH key properties. The issue has been addressed in version 1.2.0.

Affected Version(s)

minio >= RELEASE.2024-06-06T09-36-42Z, < RELEASE.2025-02-28T09-55-16Z

References

https://github.com/minio/minio/security/advisories/GHSA-w...
x_refsource_CONFIRM
https://github.com/minio/minio/commit/4c71f1b4ec0fb2a473d...
x_refsource_MISC
https://github.com/minio/minio/commit/91e1487de45720753c9...
x_refsource_MISC

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.