CVE-2021-43858

Name
CVE-2021-43858
Description
MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf
MISC https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
MISC https://github.com/minio/minio/pull/13976
CONFIRM https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
MISC https://github.com/minio/minio/pull/7949

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* minio >= None < 2021-12-27t07-23-18z

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
minio edge-community 0.20221029.062133-r2 Drew DeVault <sir@cmpwn.com> possibly vulnerable