CVE-2020-11012 CRITICAL

CVE-2020-11012: Authentication bypass MinIO Admin API

Vendor Minio
Product minio
Weakness CWE-305
Published April 23, 2020
Last update August 4, 2024

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

Key dates

02Disclosure timeline

April 23, 2020 CVE published
August 4, 2024 Record updated