CVE-2021-43858

high-risk
Published 2021-12-27

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.

Do I need to act?

!
53.1% chance of exploitation in next 30 days
EPSS score — higher than 47% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Minio

References (10)

Patch https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf
Patch https://github.com/minio/minio/pull/13976
Patch https://github.com/minio/minio/pull/7949
Release Notes https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
Patch https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
Patch https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf
Patch https://github.com/minio/minio/pull/13976
Patch https://github.com/minio/minio/pull/7949
Release Notes https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z
Patch https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
53
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal