CVE-2021-41266

Name of the Vulnerable Software and Affected Versions Minio console versions prior to 0.12.3

Description The Minio console is subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. This issue affects all users on release v0.12.2 and before. The estimated number of potentially affected devices worldwide is not available. There have been no reported real-world incidents where this issue was exploited. Technical details about exploitation include the use of external IDP authentication. To exploit this issue, an attacker would need to target the Operator Console with an external IDP enabled.

Recommendations For versions prior to 0.12.3, update to 0.12.3 or newer. For users unable to upgrade, add automountServiceAccountToken: false to the operator-console deployment in Kubernetes and disable the external identity provider authentication by unsetting the CONSOLE IDP URL, CONSOLE IDP CLIENT ID, CONSOLE IDP SECRET, and CONSOLE IDP CALLBACK environment variables, then use the Kubernetes service account token instead.