[ASA-202103-5] minio: access restriction bypass
Morten Linderud
foxboron at archlinux.org
Sat Mar 20 12:14:32 UTC 2021
Arch Linux Security Advisory ASA-202103-5
=========================================
Severity: Medium
Date : 2021-03-13
CVE-ID : CVE-2021-21362
Package : minio
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1664
Summary
=======
The package minio before version 2021.03.04-1 is vulnerable to access
restriction bypass.
Resolution
==========
Upgrade to 2021.03.04-1.
# pacman -Syu "minio>=2021.03.04-1"
The problem has been fixed upstream in version 2021.03.04.
Workaround
==========
Disabling uploads with `Content-Type: multipart/form-data` as mentioned
in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
Description
===========
In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to
bypass a readOnly policy by creating a temporary 'mc share upload' URL.
Everyone using MinIO multi-users is impacted.
As a workaround, one can disable uploads with `Content-Type:
multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
Impact
======
A remote attacker can alter a read-only resource via a temporary share
upload URL.
References
==========
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://security.archlinux.org/CVE-2021-21362
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210320/c9df363c/attachment.sig>
More information about the arch-security
mailing list