#VU64791 Improper Authorization in minio - CVE-2021-21362

Cybersecurity Help s.r.o.

Published: 2022-06-29

Vulnerability identifier: #VU64791

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-21362

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
minio
Other software / Other software solutions

Vendor: minio.io

Description

The vulnerability allows a remote user to modify files on the system.

The vulnerability exists due to improper authorization error in MinIO. A remote user can bypass a readOnly policy by creating a temporary 'mc share upload' URL.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

minio: 2020-01-03T19-12-21Z - 2021-03-01T04-20-55Z

External links
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for minio

Improper Authorization in minio.io minio