We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32963

Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS



Description

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.

Reserved 2025-04-14 | Published 2025-04-22 | Updated 2025-04-25 | Assigner GitHub_M


MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-522: Insufficiently Protected Credentials

Product status

< 7.1.0
affected

References

github.com/...erator/security/advisories/GHSA-7m6v-q233-q9j9

github.com/minio/operator/releases/tag/v7.1.0

cve.org (CVE-2025-32963)

nvd.nist.gov (CVE-2025-32963)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32963

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.