CVE-2021-43858 — HIGH (8.8)

Q: How severe is CVE-2021-43858?

CVE-2021-43858 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-43858?

Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.

Vulnerability Description

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Minio	Minio	< 2021-12-27t07-23-18z

Related Weaknesses (CWE)

CWE-269 CWE-863

References

https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abfPatchThird Party Advisory
https://github.com/minio/minio/pull/13976PatchThird Party Advisory
https://github.com/minio/minio/pull/7949PatchThird Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18ZRelease NotesThird Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cxPatchThird Party Advisory
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abfPatchThird Party Advisory
https://github.com/minio/minio/pull/13976PatchThird Party Advisory
https://github.com/minio/minio/pull/7949PatchThird Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18ZRelease NotesThird Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cxPatchThird Party Advisory

FAQ

What is CVE-2021-43858?

CVE-2021-43858 is a vulnerability with a CVSS score of 8.8 (HIGH). MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a us...

How severe is CVE-2021-43858?

CVE-2021-43858 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43858?

Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.