8.8

CVE-2021-41137

EPSS 0.13%
Veröffentlicht 13.10.2021 14:15:07
Zuletzt bearbeitet 21.11.2024 06:25:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Minio ≫ Minio Version2021-10-10t16-53-30z

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.326

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd

Patch

Third Party Advisory

https://github.com/minio/minio/pull/13388

Patch

Third Party Advisory

https://github.com/minio/minio/pull/13422

Patch

Third Party Advisory

https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41137

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41137

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41137

EUVD