Details of VAR-202102-0960

ID

VAR-202102-0960

CVE

CVE-2021-21287

TITLE

MinIO Server-side Request Forgery Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-003153

DESCRIPTION

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads

Trust: 2.25

sources: NVD: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-19696

AFFECTED PRODUCTS

vendor:	minio	model:	minio	scope:	lt	version:	2021-01-30t00-20-58z	Trust: 1.0
vendor:	minio	model:	minio	scope:	eq	version:	-	Trust: 0.8
vendor:	minio	model:	minio	scope:	eq	version:	2021-01-30t00-20-58z	Trust: 0.8
vendor:	minio	model:	minio	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2021-19696 // JVNDB: JVNDB-2021-003153 // NVD: CVE-2021-21287

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-21287
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2021-21287
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-21287
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-19696
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-009
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-21287
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-21287
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-19696
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-21287
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-003153
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287 // NVD: CVE-2021-21287

PROBLEMTYPE DATA

problemtype:	CWE-918	Trust: 1.0
problemtype:	Server-side request forgery (CWE-918) [ Other ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-003153 // NVD: CVE-2021-21287

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-009

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-009

PATCH

title:	Security Bug Fix Release GitHub	url:	https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276	Trust: 0.8
title:	Patch for MinIO cross-site request forgery vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/254121	Trust: 0.6
title:	Minio MinIO Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140428	Trust: 0.6
title:	Arch Linux Advisories: [ASA-202102-10] minio: directory traversal	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202102-10	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-21287 log	Trust: 0.1
title:	Cloud-Native-Security2	url:	https://github.com/reni2study/Cloud-Native-Security2	Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009

EXTERNAL IDS

db:	NVD	id:	CVE-2021-21287	Trust: 3.1
db:	JVNDB	id:	JVNDB-2021-003153	Trust: 0.8
db:	CNVD	id:	CNVD-2021-19696	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-009	Trust: 0.6
db:	VULMON	id:	CVE-2021-21287	Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-21287	Trust: 2.0
url:	https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276	Trust: 1.7
url:	https://github.com/minio/minio/pull/11337	Trust: 1.7
url:	https://github.com/minio/minio/releases/tag/release.2021-01-30t00-20-58z	Trust: 1.7
url:	https://github.com/minio/minio/security/advisories/ghsa-m4qq-5f7c-693q	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/918.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://security.archlinux.org/asa-202102-10	Trust: 0.1
url:	https://security.archlinux.org/cve-2021-21287	Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287

SOURCES

db:	CNVD	id:	CNVD-2021-19696
db:	VULMON	id:	CVE-2021-21287
db:	JVNDB	id:	JVNDB-2021-003153
db:	CNNVD	id:	CNNVD-202102-009
db:	NVD	id:	CVE-2021-21287

LAST UPDATE DATE

2024-08-14T14:18:35.193000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-19696	date:	2021-03-21T00:00:00
db:	VULMON	id:	CVE-2021-21287	date:	2021-02-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-003153	date:	2021-10-19T08:04:00
db:	CNNVD	id:	CNNVD-202102-009	date:	2021-02-09T00:00:00
db:	NVD	id:	CVE-2021-21287	date:	2021-02-05T20:44:53.243

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-19696	date:	2021-03-21T00:00:00
db:	VULMON	id:	CVE-2021-21287	date:	2021-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-003153	date:	2021-10-19T00:00:00
db:	CNNVD	id:	CNNVD-202102-009	date:	2021-02-01T00:00:00
db:	NVD	id:	CVE-2021-21287	date:	2021-02-01T18:15:13.890