CVE-2021-21362

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2021-03-04T00-53-13Z

Description The issue is related to authorization errors in MinIO, an open-source high performance object storage service compatible with Amazon S3 cloud storage. It allows a remote attacker to bypass a readOnly policy by creating a temporary 'mc share upload' URL, potentially impacting the integrity of protected information. Everyone using MinIO multi-users is impacted.

Recommendations For versions prior to RELEASE.2021-03-04T00-53-13Z, update to version RELEASE.2021-03-04T00-53-13Z to resolve the issue. As a temporary workaround, consider disabling uploads with Content-Type: multipart/form-data by using a proxy in front of MinIO, as mentioned in the S3 API RESTObjectPOST docs.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

ALT-PU-2021-1565

ALT-PU-2022-1258

BDU:2021-03386

BIT-MINIO-2021-21362

CVE-2021-21362

GHSA-HQ5J-6R98-9M8V

Affected Products

Alt Linux

Minio

CVE-2021-21362

Weakness Enumeration

Related Identifiers

Affected Products

References · 11