A vulnerability was found in MinIO (the affected version unknown). It has been declared as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.

The weakness was disclosed 08/02/2022 as GHSA-gr9v-6pcm-rqvg. The advisory is shared for download at github.com. This vulnerability was named CVE-2022-35919 since 07/15/2022. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1006.

Applying the patch bc72e4226e669d98c8e0f3eccc9297be9251c692 is able to eliminate this problem. The bugfix is ready for download at github.com.

The entries VDB-184386, VDB-189395, VDB-197262 and VDB-201378 are pretty similar.

Productinfo

Name

• MinIO

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion