ID

VAR-202112-1852


CVE

CVE-2021-43858


TITLE

MinIO  Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2021-017335

DESCRIPTION

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users. MinIO Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Minio MinIO is an open source object storage server of MinIO (Minio) company in the United States. The product supports building infrastructure for machine learning, analytics, and application data workloads. Patch with version number RELEASE. No detailed vulnerability details are currently available. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes Advisory ID: RHSA-2022:0735-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:0735 Issue date: 2022-03-03 CVE Names: CVE-2021-3521 CVE-2021-3712 CVE-2021-3807 CVE-2021-3872 CVE-2021-3918 CVE-2021-3984 CVE-2021-4019 CVE-2021-4034 CVE-2021-4122 CVE-2021-4155 CVE-2021-4192 CVE-2021-4193 CVE-2021-22963 CVE-2021-41089 CVE-2021-41091 CVE-2021-42574 CVE-2021-43565 CVE-2021-43816 CVE-2021-43858 CVE-2022-0185 CVE-2022-0235 CVE-2022-24407 CVE-2022-24450 ===================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.4.2 General Availability release images. This update provides security fixes, fixes bugs, and updates the container images. Red Hat Product Security has rated this update as having a security impact of Important. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.4.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. Red Hat Product Security has rated this update as having a security impact of Important. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/ Security updates: * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * containerd: Unprivileged pod may bind mount any privileged regular file on disk (CVE-2021-43816) * minio-go: user privilege escalation in AddUser() admin API (CVE-2021-43858) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * fastify-static: open redirect via an URL with double slash followed by a domain (CVE-2021-22963) * moby: `docker cp` allows unexpected chmod of host file (CVE-2021-41089) * moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal (CVE-2021-41091) * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565) * node-fetch: Exposure of Sensitive Information to an Unauthorized Actor (CVE-2022-0235) * nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450) Bug fixes: * Trying to create a new cluster on vSphere and no feedback, stuck in "creating" (Bugzilla #1937078) * The hyperlink of *ks cluster node cannot be opened when I want to check the node (Bugzilla #2028100) * Unable to make SSH connection to a Bitbucket server (Bugzilla #2028196) * RHACM cannot deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) (Bugzilla #2028931) * RHACM 2.4.2 images (Bugzilla #2029506) * Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 (Bugzilla #2030005) * Namespace left orphaned after destroying the cluster (Bugzilla #2030379) * The results filtered through the filter contain some data that should not be present in cluster page (Bugzilla #2034198) * Git over ssh doesn't use custom port set in url (Bugzilla #2036057) * The value of name label changed from clusterclaim name to cluster name (Bugzilla #2042223) * ACM configuration policies do not handle Limitrange or Quotas values (Bugzilla #2042545) * Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 (Bugzilla #2050847) * The azure government regions were not list in the region drop down list when creating the cluster (Bugzilla #2051797) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 2001668 - [DDF] normally, in the OCP web console, one sees a yaml of the secret, where at the bottom, the following is shown: 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2008592 - CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file 2012909 - [DDF] We feel it would be beneficial to add a sub-section here referencing the reconcile options available to users when 2015152 - CVE-2021-22963 fastify-static: open redirect via an URL with double slash followed by a domain 2023448 - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2028100 - The hyperlink of *ks cluster node can not be opened when I want to check the node 2028196 - Unable to make SSH connection to a Bitbucket server 2028931 - RHACM can not deploy Helm Charts with version numbers starting with letters (e.g. v1.6.1) 2029506 - RHACM 2.4.2 images 2030005 - Git Application still appears in Application Table and Resources are Still Seen in Advanced Configuration Upon Deletion after Upgrade from 2.4.0 2030379 - Namespace left orphaned after destroying the cluster 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2032957 - Missing AWX templates in ACM 2034198 - The results filtered through the filter contain some data that should not be present in cluster page 2036057 - git over ssh doesn't use custom port set in url 2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API 2039378 - Deploying CRD via Application does not update status in ACM console 2041015 - The base domain did not updated when switch the provider credentials during create the cluster/cluster pool 2042545 - ACM configuration policies do not handle Limitrange or Quotas values 2043519 - "apps.open-cluster-management.io/git-branch" annotation should be mandatory 2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2050847 - Cluster addons do not appear after upgrade from ACM 2.3.5 to ACM 2.3.6 2051797 - the azure government regions were not list in the region drop down list when create the cluster 2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account 5. References: https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3872 https://access.redhat.com/security/cve/CVE-2021-3918 https://access.redhat.com/security/cve/CVE-2021-3984 https://access.redhat.com/security/cve/CVE-2021-4019 https://access.redhat.com/security/cve/CVE-2021-4034 https://access.redhat.com/security/cve/CVE-2021-4122 https://access.redhat.com/security/cve/CVE-2021-4155 https://access.redhat.com/security/cve/CVE-2021-4192 https://access.redhat.com/security/cve/CVE-2021-4193 https://access.redhat.com/security/cve/CVE-2021-22963 https://access.redhat.com/security/cve/CVE-2021-41089 https://access.redhat.com/security/cve/CVE-2021-41091 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2021-43816 https://access.redhat.com/security/cve/CVE-2021-43858 https://access.redhat.com/security/cve/CVE-2022-0185 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24450 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYiE9otzjgjWX9erEAQi0Ew/9EGNefP8TLEdc6Vq3zNtj01fnV0K4Crgi sgKVOx1PYO+xFfdJKXwN/dg4kCMZ5kXPzf+6BNudmEIjDxvl7/khvWnXfgXXX5Ml 7/7vAzSkHETk63ZS8WJuXKXrfs56jEnNVpi86DgsjYcPocXmKk93OST0UlBV+Qec QjepL6X/khbKb3nCFBgSmejW2XWmqUNZ/XFOmrUtxxMyJ1PJTKmmpSIwWNy0uz9M vIECOhYPR9cOzF8NNQ5rby4/s7NyHnxLTWJcoUCNjCpJc7o7AswbQHjceLU3gX+b wkqNt7t7cEiBMvOdhRKWOyjVZ7hI8CbplRdJga52NsqhZtVMGXatK06DtTlPp4E4 RUo+gO2ipbld2KlFydBF/Rohm4xls9yzYt6uGaxH+HW75hLJLNyDPYitZptvuWAT BJFVTguNuLw9M8dk7vnbGCHZGJSz0GAKW53kx7SGe4DFcFpUtfUPua1ZLdAyuz9y ajYfbvvr4G34hxl6H/ovFzd5ydrSZpOtP43jWSBiySYRe5oOCWupp5vt3TwJOWsT ac6t4q350GEcUNRin99AGVv7Ch1Herrs+oVl4wd4jmtpHe35q2sOW4HlFhEOfsqa Gy4qDhuSxvfie0ONHVAQylj7XsRdLfClRhWCT0YmZyXcZlbELom99aDapDO8Hioa eqF6R05B/GE= =IaEk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . (BZ# 2033339) * Restore/backup shows up as Validation failed but the restore backup status in ACM shows success (BZ# 2034279) * Observability - OCP 311 node role are not displayed completely (BZ# 2038650) * Documented uninstall procedure leaves many leftovers (BZ# 2041921) * infrastructure-operator pod crashes due to insufficient privileges in ACM 2.5 (BZ# 2046554) * Acm failed to install due to some missing CRDs in operator (BZ# 2047463) * Navigation icons no longer showing in ACM 2.5 (BZ# 2051298) * ACM home page now includes /home/ in url (BZ# 2051299) * proxy heading in Add Credential should be capitalized (BZ# 2051349) * ACM 2.5 tries to create new MCE instance when install on top of existing MCE 2.0 (BZ# 2051983) * Create Policy button does not work and user cannot use console to create policy (BZ# 2053264) * No cluster information was displayed after a policyset was created (BZ# 2053366) * Dynamic plugin update does not take effect in Firefox (BZ# 2053516) * Replicated policy should not be available when creating a Policy Set (BZ# 2054431) * Placement section in Policy Set wizard does not reset when users click "Back" to re-configured placement (BZ# 2054433) 3. Bugs fixed (https://bugzilla.redhat.com/): 2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028224 - RHACM 2.5.0 images 2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?) 2028647 - Clusters are in 'Degraded' status with upgrade env due to obs-controller not working properly 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2033339 - create cluster pool -> choose infra type , As a result infra providers disappear from UI. 2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub 2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO 2073355 - Get blank page when click policy with unknown status in Governance -> Overview page 2073508 - Thread responsible to get insights data from *ks clusters is broken 2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters 2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology 2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin 2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of "resource conflict" error 2074178 - Editing Helm Argo Applications does not Prune Old Resources 2074626 - Policy placement failure during ZTP SNO scale test 2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store 2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal 2074937 - UI allows creating cluster even when there are no ClusterImageSets 2075416 - infraEnv failed to create image after restore 2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod 2075739 - The lookup function won't check the referred resource whether exist when using template policies 2076421 - Can't select existing placement for policy or policyset when editing policy or policyset 2076494 - No policyreport CR for spoke clusters generated in the disconnected env 2076502 - The policyset card doesn't show the cluster status(violation/without violation) again after deleted one policy 2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator 2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster 2077291 - Prometheus doesn't display acm_managed_cluster_info after upgrade from 2.4 to 2.5 2077304 - Create Cluster button is disabled only if other clusters exist 2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5 2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI 2077751 - Can't create a template policy from UI when the object's name is referring Golang text template syntax in this policy 2077783 - Still show violation for clusterserviceversions after enforced "Detect Image vulnerabilities " policy template and the operator is installed 2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set 2078164 - Failed to edit a policy without placement 2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement 2078373 - Disable the hyperlink of *ks node in standalone MCE environment since the search component was not exists 2078617 - Azure public credential details get pre-populated with base domain name in UI 2078952 - View pod logs in search details returns error 2078973 - Crashed pod is marked with success in Topology 2079013 - Changing existing placement rules does not change YAML file 2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM 2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on 2079494 - Hitting Enter in yaml editor caused unexpected keys "key00x:" to be created 2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5 2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page 2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted 2079615 - Edit appset placement in UI with a new placement throws error upon submitting 2079658 - Cluster Count is Incorrect in Application UI 2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower 2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters 2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role 2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses 2080503 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes 2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page 2080712 - Select an existing placement configuration does not work 2080776 - Unrecognized characters are displayed on policy and policy set yaml editors 2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster 2081810 - Type '-' character in Name field caused previously typed character backspaced in in the name field of policy wizard 2081829 - Application deployed on local cluster's topology is crashing after upgrade 2081938 - The deleted policy still be shown on the policyset review page when edit this policy set 2082226 - Object Storage Topology includes residue of resources after Upgrade 2082409 - Policy set details panel remains even after the policy set has been deleted 2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets 2083038 - Warning still refers to the `klusterlet-addon-appmgr` pod rather than the `application-manager` pod 2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated 2083434 - The provider-credential-controller did not support the RHV credentials type 2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace 2083870 - When editing an existing application and refreshing the `Select an existing placement configuration`, multiple occurrences of the placementrule gets displayed 2084034 - The status message looks messy in the policy set card, suggest one kind status one a row 2084158 - Support provisioning bm cluster where no provisioning network provided 2084622 - Local Helm application shows cluster resources as `Not Deployed` in Topology [Upgrade] 2085083 - Policies fail to copy to cluster namespace after ACM upgrade 2085237 - Resources referenced by a channel are not annotated with backup label 2085273 - Error querying for ansible job in app topology 2085281 - Template name error is reported but the template name was found in a different replicated policy 2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page 2087515 - Validation thrown out in configuration for disconnect install while creating bm credential 2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade] 2088511 - Some cluster resources are not showing labels that are defined in the YAML 5

Trust: 2.43

sources: NVD: CVE-2021-43858 // JVNDB: JVNDB-2021-017335 // CNVD: CNVD-2022-08921 // VULMON: CVE-2021-43858 // PACKETSTORM: 166199 // PACKETSTORM: 167459

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-08921

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2021-12-27t07-23-18z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion:release.2021-12-27t07-23-18z

Trust: 0.8

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

vendor:miniomodel:<2021-12-27t07-23-18zscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2022-08921 // JVNDB: JVNDB-2021-017335 // NVD: CVE-2021-43858

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-43858
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2021-43858
value: HIGH

Trust: 1.0

NVD: CVE-2021-43858
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-08921
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202112-2635
value: HIGH

Trust: 0.6

VULMON: CVE-2021-43858
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-43858
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-08921
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

security-advisories@github.com: CVE-2021-43858
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

OTHER: JVNDB-2021-017335
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-08921 // VULMON: CVE-2021-43858 // JVNDB: JVNDB-2021-017335 // CNNVD: CNNVD-202112-2635 // NVD: CVE-2021-43858 // NVD: CVE-2021-43858

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.0

problemtype:CWE-269

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-017335 // NVD: CVE-2021-43858

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202112-2635

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202112-2635

PATCH

title:Security Bugfix Release GitHuburl:https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf

Trust: 0.8

title:Patch for Unknown Vulnerability in Minio MinIOurl:https://www.cnvd.org.cn/patchInfo/show/318121

Trust: 0.6

title:Minio MinIO Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=176258

Trust: 0.6

title:Red Hat: CVE-2021-43858url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-43858

Trust: 0.1

title:Red Hat: Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixesurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20220735 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixesurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20224956 - Security Advisory

Trust: 0.1

title:cve-2021-43858url:https://github.com/morhax/cve-2021-43858

Trust: 0.1

title: - url:https://github.com/soosmile/POC

Trust: 0.1

title: - url:https://github.com/SYRTI/POC_to_review

Trust: 0.1

sources: CNVD: CNVD-2022-08921 // VULMON: CVE-2021-43858 // JVNDB: JVNDB-2021-017335 // CNNVD: CNNVD-202112-2635

EXTERNAL IDS

db:NVDid:CVE-2021-43858

Trust: 4.1

db:JVNDBid:JVNDB-2021-017335

Trust: 0.8

db:PACKETSTORMid:166199

Trust: 0.7

db:CNVDid:CNVD-2022-08921

Trust: 0.6

db:AUSCERTid:ESB-2022.0903

Trust: 0.6

db:AUSCERTid:ESB-2022.2855

Trust: 0.6

db:CNNVDid:CNNVD-202112-2635

Trust: 0.6

db:VULMONid:CVE-2021-43858

Trust: 0.1

db:PACKETSTORMid:167459

Trust: 0.1

sources: CNVD: CNVD-2022-08921 // VULMON: CVE-2021-43858 // JVNDB: JVNDB-2021-017335 // PACKETSTORM: 166199 // PACKETSTORM: 167459 // CNNVD: CNNVD-202112-2635 // NVD: CVE-2021-43858

REFERENCES

url:https://github.com/minio/minio/pull/13976

Trust: 2.3

url:https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf

Trust: 1.7

url:https://github.com/minio/minio/releases/tag/release.2021-12-27t07-23-18z

Trust: 1.7

url:https://github.com/minio/minio/security/advisories/ghsa-j6jc-jqqc-p6cx

Trust: 1.7

url:https://github.com/minio/minio/pull/7949

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-43858

Trust: 1.5

url:https://www.auscert.org.au/bulletins/esb-2022.2855

Trust: 0.6

url:https://vigilance.fr/vulnerability/minio-privilege-escalation-via-http-api-call-updating-policy-37422

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0903

Trust: 0.6

url:https://packetstormsecurity.com/files/166199/red-hat-security-advisory-2022-0735-01.html

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2021-43858

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-3918

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-43565

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-43816

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-3918

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-24450

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-0235

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://github.com/morhax/cve-2021-43858

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3872

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3521

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4034

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4034

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4019

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4155

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4122

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3872

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4192

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0235

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3712

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22963

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3984

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22963

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3984

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4193

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24407

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-24450

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0185

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html-single/install/index#installing

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3807

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-43565

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-42574

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0185

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4155

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41091

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4193

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4122

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-42574

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41089

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41089

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41091

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3807

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-43816

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4192

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:0735

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3712

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4019

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24407

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3521

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3752

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4157

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3669

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3744

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-13974

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-45485

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3773

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4002

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-29154

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43976

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-0941

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43389

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3634

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-27820

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4189

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-44733

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3752

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-21781

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3634

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3772

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-19131

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3773

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4037

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-29154

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-37159

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-4788

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3772

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-0404

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3669

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3764

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-20322

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3743

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43056

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3612

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3764

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-37159

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41864

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-27191

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4197

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-0941

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3612

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-26401

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21803

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24778

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-27820

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3743

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3737

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1011

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-13974

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-20322

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4083

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-45486

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0322

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-4788

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3737

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-26401

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4157

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0286

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0001

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41190

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3759

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4083

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24785

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23806

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41190

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3759

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4037

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-29810

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4002

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-21781

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0002

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4203

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3744

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:4956

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-19131

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0778

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-42739

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-0404

Trust: 0.1

sources: CNVD: CNVD-2022-08921 // VULMON: CVE-2021-43858 // JVNDB: JVNDB-2021-017335 // PACKETSTORM: 166199 // PACKETSTORM: 167459 // CNNVD: CNNVD-202112-2635 // NVD: CVE-2021-43858

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 166199 // PACKETSTORM: 167459

SOURCES

db:CNVDid:CNVD-2022-08921
db:VULMONid:CVE-2021-43858
db:JVNDBid:JVNDB-2021-017335
db:PACKETSTORMid:166199
db:PACKETSTORMid:167459
db:CNNVDid:CNNVD-202112-2635
db:NVDid:CVE-2021-43858

LAST UPDATE DATE

2024-11-23T20:34:00.465000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-08921date:2022-02-09T00:00:00
db:VULMONid:CVE-2021-43858date:2022-08-09T00:00:00
db:JVNDBid:JVNDB-2021-017335date:2023-01-17T02:37:00
db:CNNVDid:CNNVD-202112-2635date:2022-08-10T00:00:00
db:NVDid:CVE-2021-43858date:2024-11-21T06:29:56.750

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-08921date:2022-02-09T00:00:00
db:VULMONid:CVE-2021-43858date:2021-12-27T00:00:00
db:JVNDBid:JVNDB-2021-017335date:2023-01-17T00:00:00
db:PACKETSTORMid:166199date:2022-03-04T16:03:16
db:PACKETSTORMid:167459date:2022-06-09T16:11:52
db:CNNVDid:CNNVD-202112-2635date:2021-12-27T00:00:00
db:NVDid:CVE-2021-43858date:2021-12-27T22:15:07.703