CVE-2021-43858

2021-12-2722:15:07

Google

osv.dev

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny rule to disable the API for users.

CPENameOperatorVersion
minioeqRELEASE.2018-10-06T00-15-16Z
minioeqRELEASE.2018-05-11T00-29-24Z
minioeqRELEASE.2019-06-01T03-46-14Z
minioeqRELEASE.2021-10-10T16-53-30Z
minioeqRELEASE.2018-05-16T23-35-33Z
minioeqRELEASE.2018-09-12T18-49-56Z
minioeqRELEASE.2018-09-11T01-39-21Z
minioeqRELEASE.2021-09-09T21-37-07Z
minioeqRELEASE.2021-11-24T23-19-33Z
minioeqRELEASE.2021-07-30T00-02-00Z

Name	Operator	Version
minio	eq	RELEASE.2018-10-06T00-15-16Z
minio	eq	RELEASE.2018-05-11T00-29-24Z
minio	eq	RELEASE.2019-06-01T03-46-14Z
minio	eq	RELEASE.2021-10-10T16-53-30Z
minio	eq	RELEASE.2018-05-16T23-35-33Z
minio	eq	RELEASE.2018-09-12T18-49-56Z
minio	eq	RELEASE.2018-09-11T01-39-21Z
minio	eq	RELEASE.2021-09-09T21-37-07Z
minio	eq	RELEASE.2021-11-24T23-19-33Z
minio	eq	RELEASE.2021-07-30T00-02-00Z