CVE-2021-41266

Missing Authentication for Critical Function in go/github.com/minio/console

Identifiers

CVE-2021-41266, GHSA-4999-659w-mq36

Package Slug

go/github.com/minio/console

Vulnerability

Missing Authentication for Critical Function

Description

Minio console is a graphical user interface for the for MinIO operator.Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLEIDPURL, CONSOLEIDPCLIENTID, CONSOLEIDPSECRET and CONSOLEIDP_CALLBACK environment variable and instead use the Kubernetes service account token.

Affected Versions

All versions before 0.12.3

Solution

Upgrade to version 0.12.3 or above.

Last Modified

2021-11-22

source