CVE-2023-25812
MEDIUMMinio >=2020-04-10t03-34-42z <2023-02-17t17-52-43z - Improper Preservation of Permissions via BypassGoverance Policy
Title source: llmDescription
Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a `Deny` policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header `X-Amz-Bypass-Governance-Retention: true`. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63
Issue Tracking, Patch x_refsource_misc
https://github.com/minio/minio/pull/16635
Patch x_refsource_misc
https://github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485
Scores
CVSS v3
6.5
EPSS
0.0095
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-281
Status
published
Products (1)
minio/minio
2020-04-10t03-34-42z - 2023-02-17t17-52-43z
Published
Feb 21, 2023
Tracked Since
Feb 18, 2026