Unrated severityNVD Advisory· Published Oct 13, 2021· Updated Aug 4, 2024

Bypassing policy restrictions on regular users

CVE-2021-41137

Description

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.

Affected products

Minio/Miniov5
Range: = RELEASE.2021-10-10T16-53-30Z

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbdmitrex_refsource_MISC
github.com/minio/minio/pull/13388mitrex_refsource_MISC
github.com/minio/minio/pull/13422mitrex_refsource_MISC
github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577cmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000