Vulnerability Details : CVE-2021-41137
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.
Vulnerability category: BypassGain privilege
Products affected by CVE-2021-41137
- cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41137
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41137
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2021-41137
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2021-41137
-
https://github.com/minio/minio/pull/13422
checkKeyValid() should return owner true for rootCreds by harshavardhana · Pull Request #13422 · minio/minio · GitHubPatch;Third Party Advisory
-
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
checkKeyValid() should return owner true for rootCreds (#13422) · minio/minio@415bbc7 · GitHubPatch;Third Party Advisory
-
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
Bypassing policy restrictions on regular users · Advisory · minio/minio · GitHubThird Party Advisory
-
https://github.com/minio/minio/pull/13388
fix: disallow invalid x-amz-security-token for root credentials by harshavardhana · Pull Request #13388 · minio/minio · GitHubPatch;Third Party Advisory
Jump to