CVE-2022-31028

Public Exploit
Possible DDOS by establishing keep-alive connections with anonymous HTTP clients in MinIO

Description

MinIO is a multi-cloud object storage solution. Starting with version RELEASE.2019-09-25T18-25-51Z and ending with version RELEASE.2022-06-02T02-11-04Z, MinIO is vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. Public-facing MinIO deployments are most affected. Users should upgrade to RELEASE.2022-06-02T02-11-04Z to receive a patch. One possible workaround is to use a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.47%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: minio minio
Published at:
Updated at:

References

Link Tags
https://github.com/minio/minio/security/advisories/GHSA-qrpr-r3pw-f636 third party advisory
https://github.com/minio/minio/pull/14995 third party advisory patch
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1 third party advisory exploit
https://github.com/minio/minio/releases/tag/RELEASE.2022-06-03T01-40-53Z third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-31028?
CVE-2022-31028 has been scored as a high severity vulnerability.
How to fix CVE-2022-31028?
To fix CVE-2022-31028, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-31028 being actively exploited in the wild?
It is possible that CVE-2022-31028 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31028?
CVE-2022-31028 affects minio minio.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.