Improper Authorization in minio.io minio
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-41137 |
| CWE-ID | CWE-285 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
minio Other software / Other software solutions |
| Vendor | minio.io |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU64786
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-41137
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to policy restriction does not work properly for users who did not have service (svc) or security token service (STS) accounts. A remote user can bypass policy restrictions on regular users and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsminio: 2021-10-10T16-53-30Z
External linkshttp://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
http://github.com/minio/minio/pull/13388
http://github.com/minio/minio/pull/13422
http://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
