Main Vulnerability Database SB2021101347

SB2021101347 - Improper Authorization in minio.io minio

Published: October 13, 2021 Updated: June 29, 2022

Security Bulletin ID SB2021101347

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authorization (CVE-ID: CVE-2021-41137)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to policy restriction does not work properly for users who did not have service (svc) or security token service (STS) accounts. A remote user can bypass policy restrictions on regular users and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
https://github.com/minio/minio/pull/13388
https://github.com/minio/minio/pull/13422
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd