Unrated severityNVD Advisory· Published Feb 21, 2023· Updated Mar 10, 2025

Allowed DELETE on resources on object locked buckets under Governance mode in Minio

CVE-2023-25812

Description

Minio is a Multi-Cloud Object Storage framework. Affected versions do not correctly honor a Deny policy on ByPassGoverance. Ideally, minio should return "Access Denied" to all users attempting to DELETE a versionId with the special header X-Amz-Bypass-Governance-Retention: true. However, this was not honored instead the request will be honored and an object under governance would be incorrectly deleted. All users are advised to upgrade. There are no known workarounds for this issue.

Affected products

Minio/Miniov5
Range: >= RELEASE.2020-04-10T03-34-42Z, < RELEASE.2023-02-17T17-52-43Z

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/minio/minio/commit/a7188bc9d0f0a5ae05aaf1b8126bcd3cb3fdc485mitrex_refsource_MISC
github.com/minio/minio/pull/16635mitrex_refsource_MISC
github.com/minio/minio/security/advisories/GHSA-c8fc-mjj8-fc63mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000