Sign-up

ID

VAR-202004-2185


CVE

CVE-2020-11012


TITLE

MinIO Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949

DESCRIPTION

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z. MinIO There is an authentication vulnerability in.Information may be tampered with

Trust: 1.62

sources: NVD: CVE-2020-11012 // JVNDB: JVNDB-2020-004949

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2020-04-23t00-58-49z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion:release.2020-04-23t00-58-49z

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-11012
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2020-11012
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-004949
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-2042
value: HIGH

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-004949
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD:
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

security-advisories@github.com:
baseSeverity: CRITICAL
baseScore: 9.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004949
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012 // NVD: CVE-2020-11012 // CNNVD: CNNVD-202004-2042

PROBLEMTYPE DATA

problemtype:CWE-755

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: JVNDB: JVNDB-2020-004949 // NVD: CVE-2020-11012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2042

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202004-2042

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-11012

PATCH
title:Top Pageurl:https://min.io/
Trust: 0.8
title:MinIO Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=116797
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-004949 // 
            
            
            
            CNNVD: CNNVD-202004-2042

EXTERNAL IDS
db:NVDid:CVE-2020-11012
Trust: 2.4
db:JVNDBid:JVNDB-2020-004949
Trust: 0.8
db:CNNVDid:CNNVD-202004-2042
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-004949 // 
            
            
            
            NVD: CVE-2020-11012 // 
            
            
            
            CNNVD: CNNVD-202004-2042

REFERENCES
url:https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923
Trust: 2.4
url:https://github.com/minio/minio/pull/9422
Trust: 1.6
url:https://github.com/minio/minio/releases/tag/release.2020-04-23t00-58-49z
Trust: 1.6
url:https://github.com/minio/minio/security/advisories/ghsa-xv4r-vccv-mg4w
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-11012
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-11012\
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-11012
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-004949 // 
            
            
            
            NVD: CVE-2020-11012 // 
            
            
            
            CNNVD: CNNVD-202004-2042

SOURCES
db:JVNDBid:JVNDB-2020-004949
db:NVDid:CVE-2020-11012
db:CNNVDid:CNNVD-202004-2042

LAST UPDATE DATE
2023-12-18T13:37:49.133000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-004949date:2020-06-03T00:00:00
db:NVDid:CVE-2020-11012date:2021-10-26T20:02:15.260
db:CNNVDid:CNNVD-202004-2042date:2021-10-27T00:00:00

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-004949date:2020-06-03T00:00:00
db:NVDid:CVE-2020-11012date:2020-04-23T22:15:12.833
db:CNNVDid:CNNVD-202004-2042date:2020-04-23T00:00:00