Security Advisory

On September 4th, it was uncovered that an unknown threat actor had attacked publicly available MinIO object storage clusters. The attackers exploited two known security vulnerabilities in the MinIO server: CVE-2023-28432 and CVE-2023-28434 Both vulnerabilities had been reported and fixed on March 19th and 20th, and a new release, RELEASE.2023-03-20T20-16-18Z, was published on the same day. Both CVEs were

Synopsis: A signature verification bypass vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-03-17T02-33-02Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-03-17T02-33-02Z]. Severity: Medium Who is affected: All users of the MinIO server version before RELEASE.2021-03-17T02-33-02Z  affected. Users access MinIO over TLS are not affected. Recommended Action for Users: All users are advised

Synopsis: A server-side request forgery (SSRF) vulnerability against the MinIO server was discovered and has been fixed in RELEASE.2021-01-30T00-20-58Z [https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z]. Severity: Medium Who is affected: All users of the MinIO server version RELEASE.2019-12-17T23-16-33Z or newer are affected. Users that have disabled the MinIO browser UI are not affected. Recommended Action

Synopsis: A denial-of-service (DoS) possibility against the MinIO server was discovered and has been fixed in RELEASE.2019-08-07T01-59-21Z. Severity: Medium Who is affected: All users of the MinIO server version RELEASE.2019–03–06T22–47–10Z or newer are affected. Further, all users of the MinIO gateway version RELEASE.2019–03–06T22–47–10Z or newer using STS are affected

Synopsis: Unauthorized bucket access possibilities against the IAM implementation of MinIO server was discovered and has been fixed in RELEASE.2019–06–15T23–07–18Z. Severity: High Who is affected: All users of IAM feature of MinIO server and gateway are affected. It is highly recommended to upgrade. Recommended Action for Users: All users are advised to upgrade their Minio

Synopsis: Two different privilege escalation possibilities against the IAM implementation of MinIO server were discovered and has been fixed in RELEASE.2019–04–04T18–31–46Z. Severity: High Who is affected: All users of the MinIO server are affected. Users of the MinIO gateway are not affected. However, it is still recommended to upgrade. Recommended Action for Users: All users

Synopsis: Possibility of spoofing authentication as another user on the Minio server S3 and Admin API was discovered and has been fixed in RELEASE.2019–02–20T22–44–29Z Severity: Medium Who is affected: All users using multi-user [https://docs.minio.io/docs/minio-multi-user-quickstart-guide.html] feature are affected. However, it is still recommended for everyone to upgrade. Recommended Action for

Synopsis: Possibility of authentication bypass against the Minio server Storage API was discovered and has been fixed in RELEASE.2019–02–12T21–58–47Z Severity: Critical Who is affected: The concerned issue is present in all the Minio releases after October 4th 2018. All users of distributed erasure backend are affected. Users of FS and Gateway backend are not affected.

Synopsis: A violation of the SSE-C security guarantees was discovered and has been fixed in RELEASE.2018–07–10T01–42–11Z [https://github.com/minio/minio/releases/tag/RELEASE.2018-07-10T01-42-11Z]. Severity: Low Who is affected: All users who stored objects using the S3 SSE-C API and used the same client-provided key at least twice for different objects. Recommended Action for

Synopsis: A Denial-of-Service (DoS) vulnerability against the Minio server was discovered and has been fixed in RELEASE.2018–05–25T19–49–13Z [https://github.com/minio/minio/tree/RELEASE.2018-05-25T19-49-13Z] Severity: Medium Who is affected: All users of the signature V4 authentication are affected. Users of the signature V2 authentication are not affected. Recommended Action for Users: All users are