CVE-2021-41137 - OpenCVE

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
https://github.com/minio/minio/pull/13388
https://github.com/minio/minio/pull/13422
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-13T14:00:13

Updated: 2024-08-04T02:59:31.695Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41137

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-13T14:15:07.827

Modified: 2022-08-12T16:29:57.947

Link: CVE-2021-41137

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "minio", "vendor": "minio", "versions": [{"status": "affected", "version": "= RELEASE.2021-10-10T16-53-30Z"}]}], "descriptions": [{"lang": "en", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-13T14:00:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/13388"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/13422"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"}], "source": {"advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN"}, "title": "Bypassing policy restrictions on regular users ", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41137", "STATE": "PUBLIC", "TITLE": "Bypassing policy restrictions on regular users "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "minio", "version": {"version_data": [{"version_value": "= RELEASE.2021-10-10T16-53-30Z"}]}}]}, "vendor_name": "minio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285: Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"}, {"name": "https://github.com/minio/minio/pull/13388", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13388"}, {"name": "https://github.com/minio/minio/pull/13422", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13422"}, {"name": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"}]}, "source": {"advisory": "GHSA-v64v-g97p-577c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.695Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/13388"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/pull/13422"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41137", "datePublished": "2021-10-13T14:00:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.695Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*", "matchCriteriaId": "3AB9615C-F075-41E6-B11E-BF0E011832FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround."}, {"lang": "es", "value": "Minio es una aplicaci\u00f3n nativa de Kubernetes para el almacenamiento en la nube. Todos los usuarios de la versi\u00f3n \"RELEASE.2021-10-10T16-53-30Z\" est\u00e1n afectados por una vulnerabilidad que implica omitir las restricciones de las pol\u00edticas de los usuarios normales. Normalmente, checkKeyValid() deber\u00eda devolver el propietario true para rootCreds. En la versi\u00f3n afectada, la restricci\u00f3n de pol\u00edticas no funcionaba correctamente para usuarios que no ten\u00edan cuentas de servicio (svc) o de servicio de token de seguridad (STS). Este problema es corregido en la versi\u00f3n \"RELEASE.2021-10-13T00-23-17Z\". Como soluci\u00f3n, es posible volver a la versi\u00f3n \"RELEASE.2021-10-08T23-58-24Z\""}], "id": "CVE-2021-41137", "lastModified": "2022-08-12T16:29:57.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-10-13T14:15:07.827", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/13388"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/13422"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}