CVE-2021-43858, GHSA-j6jc-jqqc-p6cx
go/github.com/minio/minio
Improper Privilege Management
MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z
, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z
changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny
rule to disable the API for users.
All versions before v0.0.0-20211227072318-bb97eafa8254
Upgrade to version v0.0.0-20211227072318-bb97eafa8254 or above.
2022-01-11
source |