How severe is CVE-2025-31489?

This vulnerability has a severity rating of HIGH with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-31489?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2025-31489 - HIGH Severity | CVSS N/A

Vulnerability Description

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl. This issue is fixed in RELEASE.2025-04-03T14-56-28Z.

Related Vulnerabilities

CVE-2020-2021

CRITICAL

CVSS:10.0(Critical)

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS ...

CWE-3472020

CVE-2023-25574

CRITICAL

CVSS:10.0(Critical)

`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating J...

CWE-3472023

CVE-2024-32962

CRITICAL

CVSS:10.0(Critical)

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the...

CWE-3472024

CVE-2022-26510

CRITICAL

CVSS:9.9(Critical)

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can ...

CWE-3472022

CVE-2014-3585

CRITICAL

CVSS:9.8(Critical)

redhat-upgrade-tool: Does not check GPG signatures when upgrading versions

CWE-3472014

CVE-2016-20021

CRITICAL

CVSS:9.8(Critical)

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-we...

CWE-3472016