CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
43.2%
Severity: Medium
Date : 2021-03-13
CVE-ID : CVE-2021-21362
Package : minio
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1664
The package minio before version 2021.03.04-1 is vulnerable to access
restriction bypass.
Upgrade to 2021.03.04-1.
The problem has been fixed upstream in version 2021.03.04.
Disabling uploads with Content-Type: multipart/form-data
as mentioned
in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to
bypass a readOnly policy by creating a temporary ‘mc share upload’ URL.
Everyone using MinIO multi-users is impacted.
As a workaround, one can disable uploads with Content-Type: multipart/form-data
as mentioned in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
A remote attacker can alter a read-only resource via a temporary share
upload URL.
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://security.archlinux.org/CVE-2021-21362
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS
Percentile
43.2%