CVE-2020-11012

CRITICAL

MinIO <RELEASE.2020-04-23T00-58-49Z - Auth Bypass

Title source: llm

Description

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

References (4)

[Patch, Third Party Advisory] https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/minio/minio/pull/9422

[Third Party Advisory] https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z

[Patch, Third Party Advisory] https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w

Scores

CVSS v3 9.3

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Classification

CWE

CWE-755 CWE-305

Status published

Affected Products (1)

minio/minio < 2020-04-23t00-58-49z

Timeline

Published Apr 23, 2020

Tracked Since Feb 18, 2026