CVE-2022-35919

HIGH

MinIO - Info Disclosure

Title source: llm

Description

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.

Exploits (3)

exploitdb WORKING POC

by Jenson Zhao · pythonwebappsgo

https://www.exploit-db.com/exploits/51734

View Code ZIP pw:eip

github WORKING POC

by Immer5ion · pythonpoc

https://github.com/Immer5ion/cve_poc/tree/main/cve-2022-35919.py

View Code ZIP pw:eip

nomisec WORKING POC

by ifulxploit · poc

https://github.com/ifulxploit/Minio-Security-Vulnerability-Checker

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.html

[Patch, Third Party Advisory] https://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692

[Patch, Third Party Advisory] https://github.com/minio/minio/pull/15429

[Exploit, Mitigation, Patch, Third Party Advisory] https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg

Scores

CVSS v3 7.4

EPSS 0.0867

EPSS Percentile 92.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Details

CWE

CWE-22

Status published

Products (1)

minio/minio < 2022-07-29t19-40-48z

Published Aug 01, 2022

Tracked Since Feb 18, 2026