Details of VAR-202208-0159

ID

VAR-202208-0159

CVE

CVE-2022-35919

TITLE

Minio Inc. of Minio Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-014251

DESCRIPTION

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // VULMON: CVE-2022-35919

AFFECTED PRODUCTS

vendor:	minio	model:	minio	scope:	lt	version:	2022-07-29t19-40-48z	Trust: 1.0
vendor:	minio	model:	minio	scope:	-	version:	-	Trust: 0.8
vendor:	minio	model:	minio	scope:	eq	version:	2022-07-29t19-40-48z	Trust: 0.8
vendor:	minio	model:	minio	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2022-35919
value:	LOW
Trust: 1.8
security-advisories@github.com:	CVE-2022-35919
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202208-1987
value:	LOW
Trust: 0.6

NVD:
baseSeverity:	LOW
baseScore:	2.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	1.4
version:	3.1
Trust: 1.0
security-advisories@github.com:
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.1
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2022-35919
baseSeverity:	LOW
baseScore:	2.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

CONFIGURATIONS

sources: NVD: CVE-2022-35919

PATCH

title:

MinIO Repair measures for path traversal vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=203876

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

EXTERNAL IDS

db:	NVD	id:	CVE-2022-35919	Trust: 3.3
db:	PACKETSTORM	id:	175010	Trust: 1.0
db:	JVNDB	id:	JVNDB-2022-014251	Trust: 0.8
db:	CNNVD	id:	CNNVD-202208-1987	Trust: 0.6
db:	VULMON	id:	CVE-2022-35919	Trust: 0.1

sources: VULMON: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

REFERENCES

url:	https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692	Trust: 2.5
url:	https://github.com/minio/minio/pull/15429	Trust: 2.5
url:	https://github.com/minio/minio/security/advisories/ghsa-gr9v-6pcm-rqvg	Trust: 2.5
url:	http://packetstormsecurity.com/files/175010/minio-2022-07-29t19-40-48z-path-traversal.html	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2022-35919	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-35919/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/minio-file-reading-via-admin-serverupdate-39306	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

SOURCES

db:	VULMON	id:	CVE-2022-35919
db:	JVNDB	id:	JVNDB-2022-014251
db:	NVD	id:	CVE-2022-35919
db:	CNNVD	id:	CNNVD-202208-1987

LAST UPDATE DATE

2023-12-18T13:32:01.265000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2022-35919	date:	2022-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-014251	date:	2023-09-15T08:07:00
db:	NVD	id:	CVE-2022-35919	date:	2023-10-10T17:15:10.940
db:	CNNVD	id:	CNNVD-202208-1987	date:	2022-09-20T00:00:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2022-35919	date:	2022-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-014251	date:	2023-09-15T00:00:00
db:	NVD	id:	CVE-2022-35919	date:	2022-08-01T22:15:10.280
db:	CNNVD	id:	CNNVD-202208-1987	date:	2022-08-01T00:00:00