CVE-2021-41137

Опубликовано: 13 окт. 2021

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.

Ссылки

https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Patch
Third Party Advisory
https://github.com/minio/minio/pull/13388
Patch
Third Party Advisory
https://github.com/minio/minio/pull/13422
Patch
Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
Third Party Advisory
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Patch
Third Party Advisory
https://github.com/minio/minio/pull/13388
Patch
Third Party Advisory
https://github.com/minio/minio/pull/13422
Patch
Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*

EPSS

Процентиль: 33%

0.00126

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-285

NVD-CWE-Other

Связанные уязвимости