MinIO up to RELEASE.2024-12-13T22-19-12Z SFTP Connection improper authentication

Summaryinfo

A vulnerability classified as critical was found in MinIO. This impacts an unknown function of the component SFTP Connection Handler. The manipulation results in improper authentication. This vulnerability is reported as CVE-2025-27414. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in MinIO. It has been classified as critical. Affected is an unknown function of the component SFTP Connection Handler. The manipulation with an unknown input leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2025-27414 since 02/24/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available.

Upgrading to version RELEASE.2025-02-28T09-55-16Z eliminates this vulnerability. Applying the patch 4c71f1b4ec0fb2a473ddaac18c20ec9e63f267ec is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Name

• MinIO

Version

• 0.12.3
• 2021-01-30T00-20-58Z
• 2021-03-17T02-33-02Z
• 2021-10-10T16-53-30Z
• 2021-10-13T00-23-17Z
• 2022-04-12T06-55-35Z
• 2023-03-20T20-16-18Z
• <=0.12.2
• <=2022-06-02T02-11-04Z
• RELEASE.2020-04-23T00-58-49Z
• RELEASE.2021-03-04T00-53-13Z
• RELEASE.2021-12-27T07-23-18Z
• RELEASE.2024-01-31T20-20-33Z
• RELEASE.2024-05-27T19-17-46Z
• RELEASE.2024-12-13T22-19-12Z

License

• open-source

Website

• Product: https://github.com/minio/minio/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion