// For flags

CVE-2021-41137

Bypassing policy restrictions on regular users

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

Minio es una aplicación nativa de Kubernetes para el almacenamiento en la nube. Todos los usuarios de la versión "RELEASE.2021-10-10T16-53-30Z" están afectados por una vulnerabilidad que implica omitir las restricciones de las políticas de los usuarios normales. Normalmente, checkKeyValid() debería devolver el propietario true para rootCreds. En la versión afectada, la restricción de políticas no funcionaba correctamente para usuarios que no tenían cuentas de servicio (svc) o de servicio de token de seguridad (STS). Este problema es corregido en la versión "RELEASE.2021-10-13T00-23-17Z". Como solución, es posible volver a la versión "RELEASE.2021-10-08T23-58-24Z"

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-15 CVE Reserved
  • 2021-10-13 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-285: Improper Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Minio
Search vendor "Minio"
 Minio
Search vendor "Minio" for product "Minio"
 2021-10-10t16-53-30z
Search vendor "Minio" for product "Minio" and version "2021-10-10t16-53-30z"
-
Affected