GHSA-4999-659w-mq36

Suggest an improvement
Source
https://github.com/advisories/GHSA-4999-659w-mq36
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-4999-659w-mq36/GHSA-4999-659w-mq36.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4999-659w-mq36
Aliases
Published
2021-11-15T23:16:49Z
Modified
2023-11-08T04:06:57.851119Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Authentication bypass issue in the Operator Console
Details

During an internal security audit, we detected an authentication bypass issue in the Operator Console when an external IDP is enabled. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.

Impact

All users on release v0.12.2 and before are affected.

Patches

This issue was fixed by PR https://github.com/minio/console/pull/1217, users should upgrade to latest release.

Workarounds

Add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

References

1217 for more information on the fix and how it was fixed.

For more information

If you have any questions or comments about this advisory: * Open an issue in console issues * Email us at security@minio.io

References

Affected packages

Go / github.com/minio/console

Package

Name
github.com/minio/console
View open source insights on deps.dev
Purl
pkg:golang/github.com/minio/console

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.3