CVE-2023-27589 - Vulnerability Details - OpenCVE

Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/minio/minio/pull/16803
https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753

History

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-14T18:22:35.884Z

Updated: 2025-02-25T14:57:36.535Z

Reserved: 2023-03-04T01:03:53.635Z

Link: CVE-2023-27589

Vulnrichment

Updated: 2024-08-02T12:16:36.220Z

NVD

Status : Modified

Published: 2023-03-14T19:15:10.547

Modified: 2024-11-21T07:53:12.710

Link: CVE-2023-27589

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27589", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-04T01:03:53.635Z", "datePublished": "2023-03-14T18:22:35.884Z", "dateUpdated": "2025-02-25T14:57:36.535Z"}, "containers": {"cna": {"title": "Minio vulnerable to denial of access by an admin privileged user for root credential", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"}, {"name": "https://github.com/minio/minio/pull/16803", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/16803"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": ">= RELEASE.2020-12-23T02-24-12Z, < RELEASE.2023-03-13T19-46-17Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-14T18:22:35.884Z"}, "descriptions": [{"lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`."}], "source": {"advisory": "GHSA-9wfv-wmf7-6753", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:36.220Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"}, {"name": "https://github.com/minio/minio/pull/16803", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/16803"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:29:42.987504Z", "id": "CVE-2023-27589", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:57:36.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/minio/minio/pull/16803", "name": "https://github.com/minio/minio/pull/16803", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:36.220Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-27589", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:29:42.987504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:29:44.584Z"}}], "cna": {"title": "Minio vulnerable to denial of access by an admin privileged user for root credential", "source": {"advisory": "GHSA-9wfv-wmf7-6753", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": ">= RELEASE.2020-12-23T02-24-12Z, < RELEASE.2023-03-13T19-46-17Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "name": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/minio/minio/pull/16803", "name": "https://github.com/minio/minio/pull/16803", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-14T18:22:35.884Z"}}}, "cveMetadata": {"cveId": "CVE-2023-27589", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:57:36.535Z", "dateReserved": "2023-03-04T01:03:53.635Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-14T18:22:35.884Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9B7DC5-7425-4572-B5D8-5BAC663B315A", "versionEndExcluding": "2023-03-13t19-46-17z", "versionStartIncluding": "2020-12-23t02-24-12z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE.2020-12-23T02-24-12Z and prior to RELEASE.2023-03-13T19-46-17Z, a user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`. Once this user is created successfully, the root credential ceases to work appropriately. The issue is patched in RELEASE.2023-03-13T19-46-17Z. There are ways to work around this via adding higher privileges to the disabled root user via `mc admin policy set`."}], "id": "CVE-2023-27589", "lastModified": "2024-11-21T07:53:12.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-14T19:15:10.547", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/minio/minio/pull/16803"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/minio/minio/pull/16803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-9wfv-wmf7-6753"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}