CVE-2021-21287

Name of the Vulnerable Software and Affected Versions: MinIO versions prior to RELEASE.2021-01-30T00-20-58Z

Description: The issue is related to a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. An attacker can modify the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built, allowing them to abuse functionality on the server to read or update internal resources. This can enable the attacker to read server configuration, connect to internal services, or perform post requests towards internal services that are not intended to be exposed.

Recommendations: For versions prior to RELEASE.2021-01-30T00-20-58Z, upgrade to version RELEASE.2021-01-30T00-20-58Z or later. As a temporary workaround, consider disabling the browser front-end by setting the MINIO BROWSER environment variable to off.