#VU64786 Improper Authorization in minio
Vulnerability identifier: #VU64786
Vulnerability risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
minio
Other software /
Other software solutions
Vendor: minio.io
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to policy restriction does not work properly for users who did not have service (svc) or security token service (STS) accounts. A remote user can bypass policy restrictions on regular users and execute arbitrary code on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
minio: 2021-10-10T16-53-30Z
External links
http://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
http://github.com/minio/minio/pull/13388
http://github.com/minio/minio/pull/13422
http://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
