CVE-2021-21390

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2021-03-17T02-33-02Z

Description MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. The issue enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature.

Recommendations For versions prior to RELEASE.2021-03-17T02-33-02Z, update to version RELEASE.2021-03-17T02-33-02Z or later. As a temporary workaround, consider avoiding the use of aws-chunked encoding-based chunk signature upload requests and instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.