x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012

[tatianab]

CVE-2020-11012 references github.com/minio/minio, which may be a Go module.

Description:
MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations i.e. creating new service accounts for existing access keys - without knowing the admin secret key. This has been fixed and released in version RELEASE.2020-04-23T00-58-49Z.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-11012
• advisory: GHSA-xv4r-vccv-mg4w
• fix: fix: Add missing return in admin requests auth minio/minio#9422
• fix: minio/minio@4cd6ca0
• web: https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z
• Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby

Cross references:

• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/minio/minio
      vulnerable_at: 0.0.0-20231108174705-15137d032704
      packages:
        - package: minio
cves:
    - CVE-2020-11012
references:
    - advisory: https://github.com/minio/minio/security/advisories/GHSA-xv4r-vccv-mg4w
    - fix: https://github.com/minio/minio/pull/9422
    - fix: https://github.com/minio/minio/commit/4cd6ca02c7957aeb2de3eede08b0754332a77923
    - web: https://github.com/minio/minio/releases/tag/RELEASE.2020-04-23T00-58-49Z

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports