Closed
Description
CVE-2023-27589 references github.com/minio/minio, which may be a Go module.
Description:
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with consoleAdmin permissions can potentially create a user that matches the root credential accessKey. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via mc admin policy set.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-27589
- JSON: https://github.com/CVEProject/cvelist/tree/4041fa4c9387e54ee0a0bb29ca4561b29655e389/2023/27xxx/CVE-2023-27589.json
- advisory: GHSA-9wfv-wmf7-6753
- fix: Do not allow adding root user to IAM subsystem minio/minio#16803
- Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby
Cross references:
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/minio/minio
packages:
- package: minio
description: |
Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.
cves:
- CVE-2023-27589
references:
- advisory: https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753
- fix: https://github.com/minio/minio/pull/16803