CVE-2021-43858 - OpenCVE

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf	Patch Third Party Advisory
https://github.com/minio/minio/pull/13976	Patch Third Party Advisory
https://github.com/minio/minio/pull/7949	Patch Third Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z	Release Notes Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-27T21:20:11

Updated: 2021-12-27T21:20:11

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43858

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-27T22:15:07.703

Modified: 2022-08-09T01:24:28.060

Link: CVE-2021-43858

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "minio", "vendor": "minio", "versions": [{"status": "affected", "version": "< RELEASE.2021-12-27T07-23-18Z"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-27T21:20:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/13976"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/pull/7949"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"}], "source": {"advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN"}, "title": "User privilege escalation in MinIO", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43858", "STATE": "PUBLIC", "TITLE": "User privilege escalation in MinIO"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "minio", "version": {"version_data": [{"version_value": "< RELEASE.2021-12-27T07-23-18Z"}]}}]}, "vendor_name": "minio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269: Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx", "refsource": "CONFIRM", "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"}, {"name": "https://github.com/minio/minio/pull/13976", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/13976"}, {"name": "https://github.com/minio/minio/pull/7949", "refsource": "MISC", "url": "https://github.com/minio/minio/pull/7949"}, {"name": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf", "refsource": "MISC", "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z", "refsource": "MISC", "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"}]}, "source": {"advisory": "GHSA-j6jc-jqqc-p6cx", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43858", "datePublished": "2021-12-27T21:20:11", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2021-12-27T21:20:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEAC2280-F0A0-409B-A579-73896CA26334", "versionEndExcluding": "2021-12-27t07-23-18z", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users."}, {"lang": "es", "value": "MinIO es una aplicaci\u00f3n nativa de Kubernetes para el almacenamiento en la nube. En versiones anteriores a \"RELEASE.2021-12-27T07-23-18Z\", un cliente malicioso puede elaborar manualmente una llamada a la API HTTP que permite actualizar la pol\u00edtica de un usuario y alcanzar mayores privilegios. El parche de la versi\u00f3n \"RELEASE.2021-12-27T07-23-18Z\" cambia el tipo de cuerpo de petici\u00f3n aceptado y elimina la posibilidad de aplicar cambios de pol\u00edtica mediante esta API. Se presenta una soluci\u00f3n para esta vulnerabilidad: El cambio de contrase\u00f1as puede deshabilitarse al a\u00f1adir una regla expl\u00edcita \"Deny\" para deshabilitar la API para los usuarios"}], "id": "CVE-2021-43858", "lastModified": "2022-08-09T01:24:28.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-12-27T22:15:07.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/13976"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/pull/7949"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}