8.8
CVE-2021-41137
- EPSS 1.24%
- Veröffentlicht 13.10.2021 14:15:07
- Zuletzt bearbeitet 21.11.2024 06:25:33
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBypassing policy restrictions on regular users
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.24% | 0.654 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
https://github.com/minio/minio/pull/13388
https://github.com/minio/minio/pull/13422
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c