CVE-2025-27414
published 2025-02-28CVE-2025-27414: MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust…
PriorityP430medium4.6CVSS 4.0
AVNACLATPPRNUINVCNVIHVANSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.51%
39.7th percentile
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0.0.0-20240605075113-91e1487de457 < 0.0.0-20250227184332-4c71f1b4ec0f | 0.0.0-20250227184332-4c71f1b4ec0f |
| minio | minio | — | — |
CVSS provenance
nvdv4.04.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
osv·2025-03-03
CVE-2025-27414 [MEDIUM] MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
### Summary
_A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access._
### Details
On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute.
Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LD
OSV
MinIO SFTP authentication bypass due to improperly trusted SSH key in github.com/minio/minio
osv·2025-03-03
CVE-2025-27414 MinIO SFTP authentication bypass due to improperly trusted SSH key in github.com/minio/minio
MinIO SFTP authentication bypass due to improperly trusted SSH key in github.com/minio/minio
MinIO SFTP authentication bypass due to improperly trusted SSH key in github.com/minio/minio.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/minio/minio from RELEASE.2024-06-06T09-36-42Z before RELEASE.2025-02-28T09-55-16Z.
GHSA
MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
ghsa·2025-03-03
CVE-2025-27414 [MEDIUM] CWE-287 MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
### Summary
_A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access._
### Details
On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute.
Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LD
Red Hat
minio: MinIO SFTP authentication bypass due to improperly trusted SSH key
vendor_redhat·2025-02-28·CVSS 4.6
CVE-2025-27414 [MEDIUM] CWE-287 minio: MinIO SFTP authentication bypass due to improperly trusted SSH key
minio: MinIO SFTP authentication bypass due to improperly trusted SSH key
MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-28
Published