ID

VAR-202102-0960


CVE

CVE-2021-21287


TITLE

MinIO  Server-side Request Forgery Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-003153

DESCRIPTION

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable. Minio is an open source object storage server from MinIO, USA. The product supports the construction of infrastructure for machine learning, analysis, and application data workloads

Trust: 2.25

sources: NVD: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-19696

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2021-01-30t00-20-58z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

vendor:miniomodel:minioscope:eqversion:2021-01-30t00-20-58z

Trust: 0.8

vendor:miniomodel:minioscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2021-19696 // JVNDB: JVNDB-2021-003153 // NVD: CVE-2021-21287

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-21287
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2021-21287
value: HIGH

Trust: 1.0

NVD: CVE-2021-21287
value: HIGH

Trust: 0.8

CNVD: CNVD-2021-19696
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202102-009
value: HIGH

Trust: 0.6

VULMON: CVE-2021-21287
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-21287
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-19696
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-21287
baseSeverity: HIGH
baseScore: 7.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.1
impactScore: 4.0
version: 3.1

Trust: 2.0

OTHER: JVNDB-2021-003153
baseSeverity: HIGH
baseScore: 7.7
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287 // NVD: CVE-2021-21287

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.0

problemtype:Server-side request forgery (CWE-918) [ Other ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-003153 // NVD: CVE-2021-21287

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-009

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-009

PATCH

title:Security Bug Fix Release GitHuburl:https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276

Trust: 0.8

title:Patch for MinIO cross-site request forgery vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/254121

Trust: 0.6

title:Minio MinIO Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140428

Trust: 0.6

title:Arch Linux Advisories: [ASA-202102-10] minio: directory traversalurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202102-10

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-21287 log

Trust: 0.1

title:Cloud-Native-Security2url:https://github.com/reni2study/Cloud-Native-Security2

Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009

EXTERNAL IDS

db:NVDid:CVE-2021-21287

Trust: 3.1

db:JVNDBid:JVNDB-2021-003153

Trust: 0.8

db:CNVDid:CNVD-2021-19696

Trust: 0.6

db:CNNVDid:CNNVD-202102-009

Trust: 0.6

db:VULMONid:CVE-2021-21287

Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2021-21287

Trust: 2.0

url:https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276

Trust: 1.7

url:https://github.com/minio/minio/pull/11337

Trust: 1.7

url:https://github.com/minio/minio/releases/tag/release.2021-01-30t00-20-58z

Trust: 1.7

url:https://github.com/minio/minio/security/advisories/ghsa-m4qq-5f7c-693q

Trust: 1.7

url:https://cwe.mitre.org/data/definitions/918.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://security.archlinux.org/asa-202102-10

Trust: 0.1

url:https://security.archlinux.org/cve-2021-21287

Trust: 0.1

sources: CNVD: CNVD-2021-19696 // VULMON: CVE-2021-21287 // JVNDB: JVNDB-2021-003153 // CNNVD: CNNVD-202102-009 // NVD: CVE-2021-21287

SOURCES

db:CNVDid:CNVD-2021-19696
db:VULMONid:CVE-2021-21287
db:JVNDBid:JVNDB-2021-003153
db:CNNVDid:CNNVD-202102-009
db:NVDid:CVE-2021-21287

LAST UPDATE DATE

2024-08-14T14:18:35.193000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-19696date:2021-03-21T00:00:00
db:VULMONid:CVE-2021-21287date:2021-02-05T00:00:00
db:JVNDBid:JVNDB-2021-003153date:2021-10-19T08:04:00
db:CNNVDid:CNNVD-202102-009date:2021-02-09T00:00:00
db:NVDid:CVE-2021-21287date:2021-02-05T20:44:53.243

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-19696date:2021-03-21T00:00:00
db:VULMONid:CVE-2021-21287date:2021-02-01T00:00:00
db:JVNDBid:JVNDB-2021-003153date:2021-10-19T00:00:00
db:CNNVDid:CNNVD-202102-009date:2021-02-01T00:00:00
db:NVDid:CVE-2021-21287date:2021-02-01T18:15:13.890