Vulnerability Description
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Minio | Minio | >= 2020-12-23t02-24-12z, < 2023-03-13t19-46-17z |
Related Weaknesses (CWE)
References
- https://github.com/minio/minio/pull/16803ExploitPatch
- https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753Vendor Advisory
- https://github.com/minio/minio/pull/16803ExploitPatch
- https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753Vendor Advisory
FAQ
What is CVE-2023-27589?
CVE-2023-27589 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a u...
How severe is CVE-2023-27589?
CVE-2023-27589 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-27589?
Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.