Bypassing policy restrictions on regular users
CVE-2021-41137

8.8HIGH

Key Information:

Vendor

Minio

Status
Minio
Vendor
CVE Published:
13 October 2021

What is CVE-2021-41137?

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.

Affected Version(s)

minio = RELEASE.2021-10-10T16-53-30Z

References

https://github.com/minio/minio/security/advisories/GHSA-v...
x_refsource_CONFIRM
https://github.com/minio/minio/pull/13388
x_refsource_MISC
https://github.com/minio/minio/pull/13422
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.