CVE-2021-43858

Improper Privilege Management in go/github.com/minio/minio

Identifiers

CVE-2021-43858, GHSA-j6jc-jqqc-p6cx

Package Slug

go/github.com/minio/minio

Vulnerability

Improper Privilege Management

Description

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny rule to disable the API for users.

Affected Versions

All versions before v0.0.0-20211227072318-bb97eafa8254

Solution

Upgrade to version v0.0.0-20211227072318-bb97eafa8254 or above.

Last Modified

2022-01-11

source