BIT-minio-2021-41137

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/minio/BIT-minio-2021-41137.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-minio-2021-41137

Aliases

CVE-2021-41137

Published

2024-03-06T10:57:52.071Z

Modified

2025-02-26T07:48:40.248Z

Summary

[none]

Details

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.

Database specific

{
    "cpes": [
        "cpe:2.3:a:minio:minio:2021.10.10:*:*:*:*:*:*:*",
        "cpe:2.3:a:minio:minio:2021-10-10t16-53-30z:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / minio

Package

Name: minio
Purl: pkg:bitnami/minio

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2021.10.10

Last affected

2021.10.10