[ASA-202102-10] minio: directory traversal

Remi Gacogne rgacogne at archlinux.org
Fri Feb 12 07:05:14 UTC 2021


Arch Linux Security Advisory ASA-202102-10
==========================================

Severity: Medium
Date    : 2021-02-06
CVE-ID  : CVE-2021-21287
Package : minio
Type    : directory traversal
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1520

Summary
=======

The package minio before version 2021.01.30-1 is vulnerable to
directory traversal.

Resolution
==========

Upgrade to 2021.01.30-1.

# pacman -Syu "minio>=2021.01.30-1"

The problem has been fixed upstream in version 2021.01.30.

Workaround
==========

The browser front-end can be disabled with the "MINIO_BROWSER=off"
environment variable.

Description
===========

In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-
side request forgery vulnerability. The target application may have
functionality for importing data from a URL, publishing data to a URL,
or otherwise reading data from a URL that can be tampered with. The
attacker modifies the calls to this functionality by supplying a
completely different URL or by manipulating how URLs are built (path
traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the
attacker can abuse functionality on the server to read or update
internal resources. The attacker can supply or modify a URL which the
code running on the server will read or submit data, and by carefully
selecting the URLs, the attacker may be able to read server
configuration such as AWS metadata, connect to internal services like
HTTP enabled databases, or perform post requests towards internal
services which are not intended to be exposed. This is fixed in version
RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a
workaround you can disable the browser front-end with the
"MINIO_BROWSER=off" environment variable.

Impact
======

A remote attacker can exploit a server-side request forgery
vulnerability to bypass security measures, access sensitive information
and perform privileged actions.

References
==========

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
https://github.com/minio/minio/pull/11337
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276
https://security.archlinux.org/CVE-2021-21287

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210212/1b97d072/attachment.sig>


More information about the arch-security mailing list