CVE-2021-21362 - OpenCVE

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
https://nvd.nist.gov/vuln/detail/CVE-2021-21362
https://www.cve.org/CVERecord?id=CVE-2021-21362

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-08T18:40:34

Updated: 2024-08-03T18:09:15.715Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21362

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-08T19:15:13.443

Modified: 2022-10-21T22:40:12.743

Link: CVE-2021-21362

Redhat

Severity : Moderate

Publid Date: 2021-03-18T00:00:00Z

Links: CVE-2021-21362 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "minio", "vendor": "minio", "versions": [{"status": "affected", "version": "< RELEASE.2021-03-04T00-53-13Z"}]}], "descriptions": [{"lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-08T18:40:34", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/11682"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"}], "source": {"advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN"}, "title": "Bypassing readOnly policy by creating a temporary 'mc share upload' URL", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21362", "STATE": "PUBLIC", "TITLE": "Bypassing readOnly policy by creating a temporary 'mc share upload' URL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "minio", "version": {"version_data": [{"version_value": "< RELEASE.2021-03-04T00-53-13Z"}]}}]}, "vendor_name": "minio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285: Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"}, {"name": "https://github.com/minio/minio/pull/11682", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/11682"}, {"name": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"}]}, "source": {"advisory": "GHSA-hq5j-6r98-9m8v", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.715Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/11682"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21362", "datePublished": "2021-03-08T18:40:34", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.715Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "D17AB9B3-22BB-48A4-8317-3EB80B812FFA", "versionEndExcluding": "2021-03-04t00-53-13z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO."}, {"lang": "es", "value": "MinIO es un servicio de almacenamiento de objetos de alto rendimiento de c\u00f3digo abierto y es compatible con la API con el servicio de almacenamiento en nube Amazon S3. En MinIO versiones anteriores a RELEASE.2021-03-04T00-53-13Z, es posible omitir una pol\u00edtica de solo lectura al crear una URL temporal \"mc share upload\". Todos los que usan MinIO multiusuario est\u00e1n afectados. Esto es corregido en versi\u00f3n RELEASE.2021-03-04T00-53-13Z. Como una soluci\u00f3n alternativa, puede ser deshabilitar las cargas con \"Content-Type: multipart/form-data\" como es mencionado en los documentos RESTObjectPOST de la API S3 al usar un proxy frente a MinIO"}], "id": "CVE-2021-21362", "lastModified": "2022-10-21T22:40:12.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-08T19:15:13.443", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/11682"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "minio: Allows bypassing readOnly policy by creating a temporary 'mc share upload' URL", "id": "1980408", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980408"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-287", "details": ["MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.", "A flaw has been identified in minio (https://github.com/minio/minio). It is possible to bypass a readOnly policy by creating a temporary 'mc share upload'."], "name": "CVE-2021-21362", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rcm-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cert-policy-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/clusterlifecycle-state-metrics-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/config-policy-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/endpoint-monitoring-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-propagator-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-spec-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-status-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/governance-policy-template-sync-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/iam-policy-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicloud-manager-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multiclusterhub-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-application-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-channel-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-deployable-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-placementrule-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/openshift-hive-rhel7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/openshift-hive-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-collector-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/submariner-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/thanos-receive-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/thanos-rhel7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}], "public_date": "2021-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21362\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21362\nhttps://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482\nhttps://github.com/minio/minio/pull/11682\nhttps://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z\nhttps://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v"], "threat_severity": "Moderate", "upstream_fix": "minio v0.0.0-20210304002810-c3217bd6ebc0"}