Vulnerability Description
Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Minio | Minio | 2021-10-10t16-53-30z |
Related Weaknesses (CWE)
References
- https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbdPatchThird Party Advisory
- https://github.com/minio/minio/pull/13388PatchThird Party Advisory
- https://github.com/minio/minio/pull/13422PatchThird Party Advisory
- https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577cThird Party Advisory
- https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbdPatchThird Party Advisory
- https://github.com/minio/minio/pull/13388PatchThird Party Advisory
- https://github.com/minio/minio/pull/13422PatchThird Party Advisory
- https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577cThird Party Advisory
FAQ
What is CVE-2021-41137?
CVE-2021-41137 is a vulnerability with a CVSS score of 8.8 (HIGH). Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular u...
How severe is CVE-2021-41137?
CVE-2021-41137 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41137?
Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.