Sign-up

ID

VAR-202110-0560


CVE

CVE-2021-41137


TITLE

MinIO Security hole

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

DESCRIPTION

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

Trust: 1.0

sources: NVD: CVE-2021-41137

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:eqversion:2021-10-10t16-53-30z

Trust: 1.0

sources: NVD: CVE-2021-41137

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-41137
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2021-41137
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202110-973
value: HIGH

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

security-advisories@github.com:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2021-41137 // NVD: CVE-2021-41137 // CNNVD: CNNVD-202110-973

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2021-41137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202110-973

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2021-41137

PATCH
title:Minio Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=165635
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202110-973

EXTERNAL IDS
db:NVDid:CVE-2021-41137
Trust: 1.6
db:CNNVDid:CNNVD-202110-973
Trust: 0.6
sources:
            
            
            NVD: CVE-2021-41137 // 
            
            
            
            CNNVD: CNNVD-202110-973

REFERENCES
url:https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Trust: 1.6
url:https://github.com/minio/minio/pull/13388
Trust: 1.6
url:https://github.com/minio/minio/pull/13422
Trust: 1.6
url:https://github.com/minio/minio/security/advisories/ghsa-v64v-g97p-577c
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2021-41137
Trust: 0.6
sources:
            
            
            NVD: CVE-2021-41137 // 
            
            
            
            CNNVD: CNNVD-202110-973

SOURCES
db:NVDid:CVE-2021-41137
db:CNNVDid:CNNVD-202110-973

LAST UPDATE DATE
2023-12-18T13:12:22.924000+00:00

SOURCES UPDATE DATE
db:NVDid:CVE-2021-41137date:2022-08-12T16:29:57.947
db:CNNVDid:CNNVD-202110-973date:2022-08-15T00:00:00

SOURCES RELEASE DATE
db:NVDid:CVE-2021-41137date:2021-10-13T14:15:07.827
db:CNNVDid:CNNVD-202110-973date:2021-10-13T00:00:00