CVE-2021-41137

Name of the Vulnerable Software and Affected Versions Minio versions RELEASE.2021-10-10T16-53-30Z through RELEASE.2021-10-12T23-59-59Z

Description The issue involves bypassing policy restrictions on regular users in Minio, a Kubernetes native application for cloud storage. Normally, the checkKeyValid() function should return owner true for rootCreds. However, in the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts.

Recommendations For versions RELEASE.2021-10-10T16-53-30Z through RELEASE.2021-10-12T23-59-59Z, update to RELEASE.2021-10-13T00-23-17Z to resolve the issue. As a temporary workaround, consider downgrading back to release RELEASE.2021-10-08T23-58-24Z.