CVE-2021-43858

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2021-12-27T07-23-18Z

Description The issue is related to insecure privilege management in MinIO, a Kubernetes native application for cloud storage. It allows a remote attacker to elevate their privileges by crafting an HTTP API call. The vulnerability can be exploited to update a user's policy and gain higher privileges.

Recommendations For versions prior to RELEASE.2021-12-27T07-23-18Z, update to version RELEASE.2021-12-27T07-23-18Z or later, which changes the accepted request body type and removes the ability to apply policy changes through this API. As a temporary workaround, consider adding an explicit Deny rule to disable the API for users, which can prevent password changes.

Exploit

Fix

Incorrect Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-269

Related Identifiers

ALT-PU-2022-1206

ALT-PU-2022-3382

ALT-PU-2023-1522

ALT-PU-2023-1908

ALT-PU-2023-2074

ALT-PU-2024-17529

BDU:2022-03596

BIT-MINIO-2021-43858

CVE-2021-43858

GHSA-J6JC-JQQC-P6CX

Affected Products

Alt Linux

Minio

CVE-2021-43858

Weakness Enumeration

Related Identifiers

Affected Products

References · 19