ID

VAR-202004-2185


CVE

CVE-2020-11012


TITLE

MinIO Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949

DESCRIPTION

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with

Trust: 1.62

sources: NVD: CVE-2020-11012 // JVNDB: JVNDB-2020-004949

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2020-04-23t00-58-49z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion:release.2020-04-23t00-58-49z

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11012
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2020-11012
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-004949
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-2042
value: HIGH

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-004949
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

security-advisories@github.com:
baseSeverity: CRITICAL
baseScore: 9.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004949
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012 // NVD: CVE-2020-11012 // CNNVD: CNNVD-202004-2042

PROBLEMTYPE DATA

problemtype:CWE-755

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2042

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202004-2042

CONFIGURATIONS

sources: NVD: CVE-2020-11012

PATCH

title:Top Pageurl:https://min.io/

Trust: 0.8

title:MinIO Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797

Trust: 0.6

sources: JVNDB: JVNDB-2020-004949 // CNNVD: CNNVD-202004-2042

EXTERNAL IDS

db:NVDid:CVE-2020-11012

Trust: 2.4

db:JVNDBid:JVNDB-2020-004949

Trust: 0.8

db:CNNVDid:CNNVD-202004-2042

Trust: 0.6

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012 // CNNVD: CNNVD-202004-2042

REFERENCES

url:https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923

Trust: 2.4

url:https://github.com/minio/minio/pull/9422

Trust: 1.6

url:https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z

Trust: 1.6

url:https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-11012\

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-11012

Trust: 0.6

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012 // CNNVD: CNNVD-202004-2042

SOURCES

db:JVNDBid:JVNDB-2020-004949
db:NVDid:CVE-2020-11012
db:CNNVDid:CNNVD-202004-2042

LAST UPDATE DATE

2023-12-18T13:37:49.133000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2020-004949date:2020-06-03T00:00:00
db:NVDid:CVE-2020-11012date:2021-10-26T20:02:15.260
db:CNNVDid:CNNVD-202004-2042date:2021-10-27T00:00:00

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2020-004949date:2020-06-03T00:00:00
db:NVDid:CVE-2020-11012date:2020-04-23T22:15:12.833
db:CNNVDid:CNNVD-202004-2042date:2020-04-23T00:00:00