CVE-2020-11012

CRITICAL

MinIO <RELEASE.2020-04-23T00-58-49Z - Auth Bypass

Title source: llm

Description

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

References (4)

[Patch, Third Party Advisory] https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w

[Third Party Advisory] https://github.com/minio/minio/pull/9422

[Patch, Third Party Advisory] https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z

Scores

CVSS v3 9.3

EPSS 0.0019

EPSS Percentile 40.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Details

CWE

CWE-755 CWE-305

Status published

Products (1)

minio/minio < 2020-04-23t00-58-49z

Published Apr 23, 2020

Tracked Since Feb 18, 2026