#VU64786 Improper Authorization in minio - CVE-2021-41137
Published: June 29, 2022
Vulnerability identifier: #VU64786
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-41137
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
minio
minio
Software vendor:
MinIO
MinIO
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to policy restriction does not work properly for users who did not have service (svc) or security token service (STS) accounts. A remote user can bypass policy restrictions on regular users and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.