#VU64789 Improper Enforcement of Message Integrity During Transmission in a Communication Channel in minio - CVE-2021-21390

Cybersecurity Help s.r.o.

Published: 2022-06-29

Vulnerability identifier: #VU64789

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21390

CWE-ID: CWE-924

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minio
Other software / Other software solutions

Vendor: minio.io

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to enabled MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. A remote unauthenticated attacker can send a specially crafted data to modify data on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

minio: 2020-01-03T19-12-21Z - 2021-03-12T00-00-47Z

External links
https://github.com/minio/minio/commit/e197800f9055489415b53cf137e31e194aaf7ba0
https://github.com/minio/minio/pull/11801
https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Enforcement of Message Integrity During Transmission in a Communication Channel in minio.io minio