x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-jjjj-jwhf-8rgr

[GoVulnBot]

Advisory GHSA-jjjj-jwhf-8rgr references a vulnerability in the following Go modules:

Module
github.com/minio/minio

Description:

Summary

A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user.

Details

The vulnerability exists in the IAM policy validation logic in cmd/iam.go. When validating session policies for restricted accounts performing operations on their own account (such as creating service accounts), the code incorrectly relied on the DenyOnly argument.

The DenyOnly f...

References:

• ADVISORY: GHSA-jjjj-jwhf-8rgr
• ADVISORY: GHSA-jjjj-jwhf-8rgr
• FIX: minio/minio@c1a4949
• FIX: fix: check sub-policy properly when present minio/minio#21642

Cross references:

• github.com/minio/minio appears in 18 other report(s):
  • data/excluded/GO-2022-0285.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0421.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0479.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0756.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1591.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1634.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1667.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1668.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1669.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2206.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2267.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2318.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2322.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2499.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499)
  • data/reports/GO-2024-2886.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107 #2886)
  • data/reports/GO-2024-3336.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-cwq8-g58r-32hg #3336)
  • data/reports/GO-2025-3495.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2025-27414 #3495)
  • data/reports/GO-2025-3594.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: GHSA-wg47-6jq2-q2hh #3594)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/minio/minio
      versions:
        - fixed: 0.0.0-20251015170045-c1a49490c78e
summary: |-
    MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service
    Accounts and STS in github.com/minio/minio
cves:
    - CVE-2025-62506
ghsas:
    - GHSA-jjjj-jwhf-8rgr
references:
    - advisory: https://github.com/advisories/GHSA-jjjj-jwhf-8rgr
    - advisory: https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr
    - fix: https://github.com/minio/minio/commit/c1a49490c78e9c3ebcad86ba0662319138ace190
    - fix: https://github.com/minio/minio/pull/21642
notes:
    - fix: 'github.com/minio/minio: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-jjjj-jwhf-8rgr
    created: 2025-10-16T22:02:51.646637298Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/715780 mentions this issue: data/reports: add 47 UNREVIEWED reports