VDB
CVE-2025-32963
CVE-2025-32963
PUBLISHED
CVSS 6.900000095367432 MEDIUM
MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.
EPSS 0.03% · 10.5th percentile
Risk Scores
CVSS 4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.03%
10.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| minio | operator | < 7.1.0, < 7.1.0 |
| github.com | minio/operator | 0, 0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2025-32963 (circl-sighting)
- CIRCL seen: CVE-2025-32963 (circl-sighting)
- CIRCL seen: CVE-2025-32963 (circl-sighting)
- https://github.com/minio/operator/security/advisories/GHSA-7m6v-q233-q9j9 (circl)
- https://github.com/minio/operator/commit/d586294d526bf0d8e6097225114655f68b0adcc5 (circl)
- https://github.com/minio/operator/releases/tag/v7.1.0 (circl)
Timeline
- Jan 21, 1970 Security Advisory
- Apr 21, 2025 CVE Published
- Apr 22, 2025 Coalition ESS Score
- Apr 22, 2025 PoC Published
- Apr 22, 2025 PoC Published
- Apr 23, 2025 EPSS Score
- Apr 23, 2025 Coalition ESS Score
- Apr 25, 2025 PoC Published
- May 5, 2025 EPSS Score
- May 17, 2025 EPSS Score
- May 29, 2025 EPSS Score
- Jun 11, 2025 EPSS Score
References
- https://github.com/minio/operator/security/advisories/GHSA-7m6v-q233-q9j9 url
- https://github.com/minio/operator/commit/d586294d526bf0d8e6097225114655f68b0adcc5 url
- https://github.com/minio/operator/releases/tag/v7.1.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-32963 advisory
- https://github.com/minio/operator package