ID

VAR-202111-1069


CVE

CVE-2021-41266


TITLE

Minio access control error vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-88205 // CNNVD: CNNVD-202111-1271

DESCRIPTION

Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token. Minio console There is a vulnerability in the lack of authentication for critical features.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server from MinIO (Minio) in the United States. The product supports the construction of infrastructure for machine learning, analytics, and application data workloads. Minio 0.12.2 and earlier versions have an access control error vulnerability. No detailed vulnerability details are currently provided

Trust: 2.25

sources: NVD: CVE-2021-41266 // JVNDB: JVNDB-2021-014927 // CNVD: CNVD-2021-88205 // VULMON: CVE-2021-41266

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-88205

AFFECTED PRODUCTS

vendor:minmodel:minio consolescope:ltversion:0.12.3

Trust: 1.0

vendor:miniomodel:consolescope:eqversion: -

Trust: 0.8

vendor:miniomodel:consolescope:lteversion:0.12.2 and earlier

Trust: 0.8

vendor:miniomodel:minioscope:lteversion:<=0.12.2

Trust: 0.6

sources: CNVD: CNVD-2021-88205 // JVNDB: JVNDB-2021-014927 // NVD: CVE-2021-41266

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41266
value: CRITICAL

Trust: 1.0

security-advisories@github.com: CVE-2021-41266
value: HIGH

Trust: 1.0

NVD: CVE-2021-41266
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2021-88205
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202111-1271
value: HIGH

Trust: 0.6

VULMON: CVE-2021-41266
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-41266
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2021-88205
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-41266
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2021-41266
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 4.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-41266
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-88205 // VULMON: CVE-2021-41266 // JVNDB: JVNDB-2021-014927 // CNNVD: CNNVD-202111-1271 // NVD: CVE-2021-41266 // NVD: CVE-2021-41266

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:Lack of authentication for critical features (CWE-306) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014927 // NVD: CVE-2021-41266

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202111-1271

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202111-1271

PATCH

title:Fixed broken oauth2 login for operator #1217 GitHuburl:https://github.com/minio/console/pull/1217

Trust: 0.8

title:Patch for Minio access control error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/298151

Trust: 0.6

title:Minio Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=172335

Trust: 0.6

title: - url:https://github.com/20142995/Goby

Trust: 0.1

sources: CNVD: CNVD-2021-88205 // VULMON: CVE-2021-41266 // JVNDB: JVNDB-2021-014927 // CNNVD: CNNVD-202111-1271

EXTERNAL IDS

db:NVDid:CVE-2021-41266

Trust: 3.9

db:JVNDBid:JVNDB-2021-014927

Trust: 0.8

db:CNVDid:CNVD-2021-88205

Trust: 0.6

db:CNNVDid:CNNVD-202111-1271

Trust: 0.6

db:VULMONid:CVE-2021-41266

Trust: 0.1

sources: CNVD: CNVD-2021-88205 // VULMON: CVE-2021-41266 // JVNDB: JVNDB-2021-014927 // CNNVD: CNNVD-202111-1271 // NVD: CVE-2021-41266

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2021-41266

Trust: 2.0

url:https://github.com/minio/console/pull/1217

Trust: 1.7

url:https://github.com/minio/console/security/advisories/ghsa-4999-659w-mq36

Trust: 1.7

url:https://cwe.mitre.org/data/definitions/306.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/20142995/goby

Trust: 0.1

sources: CNVD: CNVD-2021-88205 // VULMON: CVE-2021-41266 // JVNDB: JVNDB-2021-014927 // CNNVD: CNNVD-202111-1271 // NVD: CVE-2021-41266

SOURCES

db:CNVDid:CNVD-2021-88205
db:VULMONid:CVE-2021-41266
db:JVNDBid:JVNDB-2021-014927
db:CNNVDid:CNNVD-202111-1271
db:NVDid:CVE-2021-41266

LAST UPDATE DATE

2024-08-14T15:33:01.230000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-88205date:2021-11-17T00:00:00
db:VULMONid:CVE-2021-41266date:2021-11-19T00:00:00
db:JVNDBid:JVNDB-2021-014927date:2022-11-02T01:12:00
db:CNNVDid:CNNVD-202111-1271date:2021-12-01T00:00:00
db:NVDid:CVE-2021-41266date:2021-11-19T16:16:10.313

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-88205date:2021-11-17T00:00:00
db:VULMONid:CVE-2021-41266date:2021-11-15T00:00:00
db:JVNDBid:JVNDB-2021-014927date:2022-11-02T00:00:00
db:CNNVDid:CNNVD-202111-1271date:2021-11-15T00:00:00
db:NVDid:CVE-2021-41266date:2021-11-15T21:15:07.320