CVE-2021-21362

Public Exploit

Bypassing readOnly policy by creating a temporary 'mc share upload' URL

Description

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

References

Link	Tags
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v	third party advisory
https://github.com/minio/minio/pull/11682	third party advisory exploit
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482	third party advisory patch
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2021-21362?: CVE-2021-21362 has been scored as a high severity vulnerability.
How to fix CVE-2021-21362?: To fix CVE-2021-21362, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21362 being actively exploited in the wild?: It is possible that CVE-2021-21362 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21362?: CVE-2021-21362 affects minio minio.

Description

Categories

CWE-285 – Improper Authorization

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions