CVE-2025-27414 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-27414 Interim 1 7 2026-03-05T01:11:14Z current 2025-03-14T00:12:16Z 2026-03-05T01:11:14Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-27414 MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise Server 16.0 openSUSE Tumbleweed govulncheck-vulndb-0.0.20250312T181707-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 libxml2-2-2.11.6-3.1 libxml2-tools-2.11.6-3.1 update-alternatives-1.22.0-slfo.1.1_2.1 libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/kvm-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/rt-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest libxml2-2-2.11.6-3.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-qcow update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-qcow libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250312T181707-1.1 as a component of openSUSE Tumbleweed MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the `sshPublicKey` attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the `sshPublicKey` attribute. Due to the bug, when the user has no `sshPublicKey` property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the `sshPublicKey` property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). Version 1.2.0 fixes the issue. CVE-2025-27414 Container suse/sl-micro/6.0/baremetal-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/base-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/kvm-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/rt-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/toolbox:latest:libxml2-2-2.11.6-3.1 Image SL-Micro:libxml2-2-2.11.6-3.1 Image SL-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro:libxml2-2-2.11.6-3.1 Image SLE-Micro:libxml2-tools-2.11.6-3.1 Image SLE-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1 moderate