cnvd - cnvd-2021-88205

cnvd-2021-88205

Vulnerability from cnvd

Title: Minio访问控制错误漏洞

Description:

Minio MinIO是美国MinIO（Minio）公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。

Minio 0.12.2及其之前版本存在访问控制错误漏洞，该漏洞源于软件启用外部IDP时，受影响的版本会在操作员控制台中遇到身份验证绕过问题。目前没有详细的漏洞细节提供。

Severity: 高

Patch Name: Minio访问控制错误漏洞的补丁

Patch Description:

Minio MinIO是美国MinIO（Minio）公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。

Minio 0.12.2及其之前版本存在访问控制错误漏洞，该漏洞源于软件启用外部IDP时，受影响的版本会在操作员控制台中遇到身份验证绕过问题。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-41266

Impacted products

Name
MinIO MinIO <=0.12.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41266"
    }
  },
  "description": "Minio MinIO\u662f\u7f8e\u56fdMinIO\uff08Minio\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u6784\u5efa\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u3001\u5206\u6790\u548c\u5e94\u7528\u7a0b\u5e8f\u6570\u636e\u5de5\u4f5c\u8d1f\u8f7d\u7684\u57fa\u7840\u67b6\u6784\u3002\n\nMinio 0.12.2\u53ca\u5176\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f6f\u4ef6\u542f\u7528\u5916\u90e8IDP\u65f6\uff0c\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4f1a\u5728\u64cd\u4f5c\u5458\u63a7\u5236\u53f0\u4e2d\u9047\u5230\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u95ee\u9898\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-88205",
  "openTime": "2021-11-17",
  "patchDescription": "Minio MinIO\u662f\u7f8e\u56fdMinIO\uff08Minio\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5bf9\u8c61\u5b58\u50a8\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u6784\u5efa\u7528\u4e8e\u673a\u5668\u5b66\u4e60\u3001\u5206\u6790\u548c\u5e94\u7528\u7a0b\u5e8f\u6570\u636e\u5de5\u4f5c\u8d1f\u8f7d\u7684\u57fa\u7840\u67b6\u6784\u3002\r\n\r\nMinio 0.12.2\u53ca\u5176\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u8f6f\u4ef6\u542f\u7528\u5916\u90e8IDP\u65f6\uff0c\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4f1a\u5728\u64cd\u4f5c\u5458\u63a7\u5236\u53f0\u4e2d\u9047\u5230\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7\u95ee\u9898\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Minio\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "MinIO MinIO \u003c=0.12.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41266",
  "serverity": "\u9ad8",
  "submitTime": "2021-11-17",
  "title": "Minio\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2021-41266 (GCVE-0-2021-41266)

Vulnerability from cvelistv5

Published

2021-11-15 20:20

Modified

2024-08-04 03:08

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-306 - Missing Authentication for Critical Function

Summary

Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

References

▼	URL	Tags
	https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36	x_refsource_CONFIRM
	https://github.com/minio/console/pull/1217	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	minio	console	Version: < 0.12.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/console/pull/1217"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "console",
          "vendor": "minio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-15T20:20:10",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/console/pull/1217"
        }
      ],
      "source": {
        "advisory": "GHSA-4999-659w-mq36",
        "discovery": "UNKNOWN"
      },
      "title": "Authentication bypass issue in the Operator Console",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41266",
          "STATE": "PUBLIC",
          "TITLE": "Authentication bypass issue in the Operator Console"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "console",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.12.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "minio"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-306: Missing Authentication for Critical Function"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36",
              "refsource": "CONFIRM",
              "url": "https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36"
            },
            {
              "name": "https://github.com/minio/console/pull/1217",
              "refsource": "MISC",
              "url": "https://github.com/minio/console/pull/1217"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-4999-659w-mq36",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41266",
    "datePublished": "2021-11-15T20:20:10",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted