Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN712 _____________________________________________________________________ DATE : 17/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Minio versions prior to RELEASE.2025-10-15T17-29-55Z. ===================================================================== https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr _____________________________________________________________________ Privilege Escalation via Session Policy Bypass in Service Accounts and STS High harshavardhana published GHSA-jjjj-jwhf-8rgr Oct 16, 2025 Package github.com/minio/minio (Go) Affected versions all Patched versions RELEASE.2025-10-15T17-29-55Z Description Summary A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user. Details The vulnerability exists in the IAM policy validation logic in cmd/iam.go. When validating session policies for restricted accounts performing operations on their own account (such as creating service accounts), the code incorrectly relied on the DenyOnly argument. The DenyOnly flag is used to allow accounts to perform actions related to their own account by only checking if the action is explicitly denied. However, when a session policy (sub-policy) is present, the system should validate that the action is actually allowed by the session policy, not just that it isn't denied. Attack Scenario An administrator creates a service account or STS account with a restricted inline policy (e.g., access only to bucket1 and bucket2) The restricted account attempts to create a new service account for itself without specifying any policy restrictions Due to the bypass, the new service account is created with full parent privileges instead of being restricted by the inline policy The attacker now has escalated privileges beyond the intended restrictions Impact Attack Complexity: LOW - Exploitation requires only valid credentials for a restricted service/STS account Confidentiality: HIGH - Attackers can access buckets and objects beyond their intended restrictions Integrity: HIGH - Attackers can modify, delete, or create objects outside their authorized scope Availability: NONE - Does not directly impact service availability Patches Fixed in PR #21642 Commit: c1a4949 Install the release go install -v github.com/minio/minio@RELEASE.2025-10-15T17-29-55Z Workarounds No workarounds available. You can upgrade to the latest version immediately. Mitigation Steps Upgrade MinIO: Update to the latest version containing the fix Audit Service Accounts: Review all service accounts created by non-admin accounts Revoke Suspicious Accounts: Delete any service accounts that may have been created through exploitation Review Access Logs: Check for unauthorized access to sensitive buckets References Fix PR: #21642 Affected code: cmd/iam.go (functions: isAllowedBySessionPolicyForServiceAccount, isAllowedBySessionPolicy) Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE ID CVE-2025-62506 Weaknesses Weakness CWE-863 Credits @donatello donatello Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================