CVE-2021-21362

Bypassing readOnly policy by creating a temporary 'mc share upload' URL

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

MinIO es un servicio de almacenamiento de objetos de alto rendimiento de código abierto y es compatible con la API con el servicio de almacenamiento en nube Amazon S3. En MinIO versiones anteriores a RELEASE.2021-03-04T00-53-13Z, es posible omitir una política de solo lectura al crear una URL temporal "mc share upload". Todos los que usan MinIO multiusuario están afectados. Esto es corregido en versión RELEASE.2021-03-04T00-53-13Z. Como una solución alternativa, puede ser deshabilitar las cargas con "Content-Type: multipart/form-data" como es mencionado en los documentos RESTObjectPOST de la API S3 al usar un proxy frente a MinIO

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-03-08 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-285: Improper Authorization
CWE-863: Incorrect Authorization

CAPEC

References (4)

URL	Tag	Source
https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z	Release Notes
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v	Third Party Advisory

URL	Date	SRC
https://github.com/minio/minio/pull/11682	2024-08-03

URL	Date	SRC
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482	2022-10-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Minio Search vendor "Minio"		Minio Search vendor "Minio" for product "Minio"				< 2021-03-04t00-53-13z Search vendor "Minio" for product "Minio" and version " < 2021-03-04t00-53-13z"		-		Affected