[ASA-202103-5] minio: access restriction bypass

Morten Linderud foxboron at archlinux.org
Sat Mar 20 12:14:32 UTC 2021


Arch Linux Security Advisory ASA-202103-5
=========================================

Severity: Medium
Date    : 2021-03-13
CVE-ID  : CVE-2021-21362
Package : minio
Type    : access restriction bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1664

Summary
=======

The package minio before version 2021.03.04-1 is vulnerable to access
restriction bypass.

Resolution
==========

Upgrade to 2021.03.04-1.

# pacman -Syu "minio>=2021.03.04-1"

The problem has been fixed upstream in version 2021.03.04.

Workaround
==========

Disabling uploads with `Content-Type: multipart/form-data` as mentioned
in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.

Description
===========

In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to
bypass a readOnly policy by creating a temporary 'mc share upload' URL.
Everyone using MinIO multi-users is impacted.
As a workaround, one can disable uploads with `Content-Type:
multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.

Impact
======

A remote attacker can alter a read-only resource via a temporary share
upload URL.

References
==========

https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://security.archlinux.org/CVE-2021-21362
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210320/c9df363c/attachment.sig>


More information about the arch-security mailing list