CVE-2025-32963
MEDIUMMinIO Operator < 7.1.0 - Insufficiently Protected Credentials via Unscoped STS Token Audience
Title source: llmDescription
MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/minio/operator/security/advisories/GHSA-7m6v-q233-q9j9
Patch x_refsource_misc
https://github.com/minio/operator/commit/d586294d526bf0d8e6097225114655f68b0adcc5
Release Notes x_refsource_misc
https://github.com/minio/operator/releases/tag/v7.1.0
Scores
CVSS v4
6.9
EPSS
0.0052
EPSS Percentile
40.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-522
Status
published
Products (2)
minio/operator
0 - 7.1.0Go
minio/operator
< 7.1.0
Published
Apr 22, 2025
Tracked Since
Feb 18, 2026