CVE-2023-25812
Published Feb 21, 2023
Last updated a year ago
Overview
- Description
- Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.
- Source
- security-advisories@github.com
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
- security-advisories@github.com
- CWE-281
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "451D6DA1-D25A-46A8-822B-D0A78D65C642",
"versionEndExcluding": "2023-02-17t17-52-43z",
"versionStartIncluding": "2020-04-10t03-34-42z"
}
],
"operator": "OR"
}
]
}
]