ID

VAR-202208-0159


CVE

CVE-2022-35919


TITLE

Minio Inc.  of  Minio  Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-014251

DESCRIPTION

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies. Minio Inc. of Minio Exists in a past traversal vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // VULMON: CVE-2022-35919

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2022-07-29t19-40-48z

Trust: 1.0

vendor:miniomodel:minioscope: - version: -

Trust: 0.8

vendor:miniomodel:minioscope:eqversion:2022-07-29t19-40-48z

Trust: 0.8

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-35919
value: LOW

Trust: 1.8

security-advisories@github.com: CVE-2022-35919
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202208-1987
value: LOW

Trust: 0.6

NVD:
baseSeverity: LOW
baseScore: 2.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 1.4
version: 3.1

Trust: 1.0

security-advisories@github.com:
baseSeverity: HIGH
baseScore: 7.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.1
impactScore: 3.7
version: 3.1

Trust: 1.0

NVD: CVE-2022-35919
baseSeverity: LOW
baseScore: 2.7
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

problemtype:Path traversal (CWE-22) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

CONFIGURATIONS

sources: NVD: CVE-2022-35919

PATCH

title:MinIO Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=203876

Trust: 0.6

sources: CNNVD: CNNVD-202208-1987

EXTERNAL IDS

db:NVDid:CVE-2022-35919

Trust: 3.3

db:PACKETSTORMid:175010

Trust: 1.0

db:JVNDBid:JVNDB-2022-014251

Trust: 0.8

db:CNNVDid:CNNVD-202208-1987

Trust: 0.6

db:VULMONid:CVE-2022-35919

Trust: 0.1

sources: VULMON: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

REFERENCES

url:https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692

Trust: 2.5

url:https://github.com/minio/minio/pull/15429

Trust: 2.5

url:https://github.com/minio/minio/security/advisories/ghsa-gr9v-6pcm-rqvg

Trust: 2.5

url:http://packetstormsecurity.com/files/175010/minio-2022-07-29t19-40-48z-path-traversal.html

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2022-35919

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-35919/

Trust: 0.6

url:https://vigilance.fr/vulnerability/minio-file-reading-via-admin-serverupdate-39306

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/22.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-35919 // JVNDB: JVNDB-2022-014251 // NVD: CVE-2022-35919 // CNNVD: CNNVD-202208-1987

SOURCES

db:VULMONid:CVE-2022-35919
db:JVNDBid:JVNDB-2022-014251
db:NVDid:CVE-2022-35919
db:CNNVDid:CNNVD-202208-1987

LAST UPDATE DATE

2023-12-18T13:32:01.265000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-35919date:2022-08-02T00:00:00
db:JVNDBid:JVNDB-2022-014251date:2023-09-15T08:07:00
db:NVDid:CVE-2022-35919date:2023-10-10T17:15:10.940
db:CNNVDid:CNNVD-202208-1987date:2022-09-20T00:00:00

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-35919date:2022-08-01T00:00:00
db:JVNDBid:JVNDB-2022-014251date:2023-09-15T00:00:00
db:NVDid:CVE-2022-35919date:2022-08-01T22:15:10.280
db:CNNVDid:CNNVD-202208-1987date:2022-08-01T00:00:00