CVE-2022-35919 HIGH

CVE-2022-35919: Authenticated requests for server update admin API allows path traversal in minio

Vendor Minio
Product minio
Weakness CWE-22 · Path traversal
Published August 1, 2022
Last update April 22, 2025

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.

Key dates

02Disclosure timeline

August 1, 2022 CVE published
April 22, 2025 Record updated