CVE-2022-35919
published 2022-08-01CVE-2022-35919: MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for…
PriorityP336low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
EXPLOIT
EPSS
52.33%
98.8th percentile
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0.0.0-20220724015452 < 0.0.0-20260414213245 | 0.0.0-20260414213245 |
| minio | minio | < RELEASE.2022-07-29T19-40-48Z | RELEASE.2022-07-29T19-40-48Z |
| minio | minio | < 2022-07-29t19-40-48z | 2022-07-29t19-40-48z |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to the /minio/admin/v3/update endpoint with a 'updateURL' query parameter containing path-traversal sequences (e.g., %2F, ../) pointing to sensitive OS files such as /etc/passwd. ↗
- →Detect the exploit by inspecting the X-Amz-Content-Sha256 header for the empty-body SHA256 hash (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855) on POST requests to the MinIO admin update API, which indicates no update payload was sent — a hallmark of the PoC probe. ↗
- →Alert on any MinIO admin user exercising the admin:ServerUpdate action, especially when the updateURL parameter resolves to a local filesystem path rather than a legitimate remote update URL. ↗
- →Look for error responses from MinIO that contain /etc/passwd-style content (colon-delimited fields matching username:password:uid:gid:gecos:home:shell) in the JSON 'Message' field, which indicates successful path traversal data exfiltration. ↗
- ·Exploitation requires valid admin credentials with the admin:ServerUpdate IAM permission. Restrict this permission via IAM policy to reduce attack surface on unpatched instances. ↗
- ·The vulnerability affects all MinIO versions up to (excluding) 2022-07-29T19:40:48Z. Any readable file on the OS by the MinIO process is potentially exfiltrable, not just /etc/passwd. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.htmlhttps://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692https://github.com/minio/minio/pull/15429https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvghttp://packetstormsecurity.com/files/175010/Minio-2022-07-29T19-40-48Z-Path-Traversal.htmlhttps://github.com/minio/minio/commit/bc72e4226e669d98c8e0f3eccc9297be9251c692https://github.com/minio/minio/pull/15429https://github.com/minio/minio/security/advisories/GHSA-gr9v-6pcm-rqvg
2022-08-01
Published