CVE-2025-27414 — Improper Authentication in Minio Minio

CWE-287 — Improper Authentication5 documents4 sources

Severity

4.6MEDIUMNVD

EPSS

0.4%

top 40.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Minio Minio Minio

Timeline

PublishedFeb 28

Latest updateMar 3

Description

MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server.…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gogithub.com/minio_minio0.0.0-20240605075113-91e1487de457 — 0.0.0-20250227184332-4c71f1b4ec0f

▶CVEListV5minio/minio>= RELEASE.2024-06-06T09-36-42Z, < RELEASE.2025-02-28T09-55-16Z

🔴Vulnerability Details

OSV

MinIO allows an SFTP authentication bypass due to improperly trusted SSH key↗2025-03-03

▶

OSV

MinIO SFTP authentication bypass due to improperly trusted SSH key in github.com/minio/minio↗2025-03-03

▶

GHSA

MinIO allows an SFTP authentication bypass due to improperly trusted SSH key↗2025-03-03

▶

📋Vendor Advisories

Red Hat

minio: MinIO SFTP authentication bypass due to improperly trusted SSH key↗2025-02-28

▶