Cyber Resilience

CVE-2022-35919

HighPublic PoC

Published: 01 August 2022

Published
01 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.1357 94.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35919 is a high-severity Path Traversal (CWE-22) vulnerability in Minio Minio. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MinIO, a high-performance object storage system released under the GNU Affero General Public License, contains a path traversal vulnerability tracked as CVE-2022-35919 and assigned CWE-22. The flaw exists in affected versions where any admin user holding the admin:ServerUpdate permission can force an error condition that returns the contents of an arbitrary requested path, exposing files readable by the MinIO process on the underlying operating system.

An attacker with the required admin privileges can exploit the issue remotely without user interaction to read arbitrary files on the host, resulting in limited impacts to confidentiality, integrity, and availability as scored by CVSS 3.1 at 7.4.

Public advisories, including the GitHub security advisory GHSA-gr9v-6pcm-rqvg and the associated pull request, direct users to upgrade to a patched release containing commit bc72e4226e669d98c8e0f3eccc9297be9251c692. For environments that cannot upgrade immediately, the ServerUpdate API can be disabled by denying the admin:ServerUpdate action to admin users via IAM policies.

The EPSS score has remained flat at its peak value of 0.1357 with no material rise after disclosure.

EU & UK References

Vulnerability details

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for `admin:ServerUpdate` can selectively trigger an error that in response, returns the content of the path requested. Any…

more

normal OS system would allow access to contents at any arbitrary paths that are readable by MinIO process. Users are advised to upgrade. Users unable to upgrade may disable ServerUpdate API by denying the `admin:ServerUpdate` action for your admin users via IAM policies.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

minio
minio
≤ 2022-07-29t19-40-48z

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References