ID

VAR-202110-0560


CVE

CVE-2021-41137


TITLE

MinIO Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

DESCRIPTION

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

Trust: 1.0

sources: NVD: CVE-2021-41137

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:eqversion:2021-10-10t16-53-30z

Trust: 1.0

sources: NVD: CVE-2021-41137

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-41137
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2021-41137
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202110-973
value: HIGH

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

security-advisories@github.com:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2021-41137 // NVD: CVE-2021-41137 // CNNVD: CNNVD-202110-973

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2021-41137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

CONFIGURATIONS

sources: NVD: CVE-2021-41137

PATCH

title:Minio Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=165635

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

EXTERNAL IDS

db:NVDid:CVE-2021-41137

Trust: 1.6

db:CNNVDid:CNNVD-202110-973

Trust: 0.6

sources: NVD: CVE-2021-41137 // CNNVD: CNNVD-202110-973

REFERENCES

url:https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd

Trust: 1.6

url:https://github.com/minio/minio/pull/13388

Trust: 1.6

url:https://github.com/minio/minio/pull/13422

Trust: 1.6

url:https://github.com/minio/minio/security/advisories/ghsa-v64v-g97p-577c

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-41137

Trust: 0.6

sources: NVD: CVE-2021-41137 // CNNVD: CNNVD-202110-973

SOURCES

db:NVDid:CVE-2021-41137
db:CNNVDid:CNNVD-202110-973

LAST UPDATE DATE

2023-12-18T13:12:22.924000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2021-41137date:2022-08-12T16:29:57.947
db:CNNVDid:CNNVD-202110-973date:2022-08-15T00:00:00

SOURCES RELEASE DATE

db:NVDid:CVE-2021-41137date:2021-10-13T14:15:07.827
db:CNNVDid:CNNVD-202110-973date:2021-10-13T00:00:00