CVE-2025-27414: 
vulnerability analysis and mitigation

MinIO, a high-performance object storage system, disclosed a vulnerability (CVE-2025-27414) affecting versions from RELEASE.2024-06-06T09-36-42Z to RELEASE.2025-02-28T09-55-16Z. The vulnerability stems from a bug in evaluating the trust of SSH keys used in SFTP connections to MinIO, which could allow authentication bypass and unauthorized data access when using LDAP as an external identity provider (GitHub Advisory).

The vulnerability occurs when MinIO is configured with SFTP access and LDAP as an external identity provider. The system supports SSH key-based authentication for SFTP connections when users have the 'sshPublicKey' attribute set in their LDAP server. However, due to improper validation, when a user has no 'sshPublicKey' property in LDAP, the server incorrectly trusts any provided key. The issue has been assigned a CVSS v4.0 score of 4.6 (Medium) with vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U (NVD).

When successfully exploited, an attacker can perform unauthorized FTP operations including reading, writing, deleting, and listing objects, limited to the access policy permissions associated with the compromised LDAP user account and their groups (GitHub Advisory).

The vulnerability has been patched in MinIO version RELEASE.2025-02-28T09-55-16Z. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).