CVE-2021-21362

2021-03-0819:15:13

Google

osv.dev

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

43.3%

JSON

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary ‘mc share upload’ URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with Content-Type: multipart/form-data as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

CPENameOperatorVersion
minioeqRELEASE.2018-10-06T00-15-16Z
minioeqRELEASE.2018-05-11T00-29-24Z
minioeqRELEASE.2019-06-01T03-46-14Z
minioeqRELEASE.2018-05-16T23-35-33Z
minioeqRELEASE.2018-09-12T18-49-56Z
minioeqRELEASE.2018-09-11T01-39-21Z
minioeqRELEASE.2019-12-30T05-45-39Z
minioeqRELEASE.2021-02-11T08-23-43Z
minioeqrelease-1434511043
minioeqRELEASE.2016-08-21T02-44-47Z

Name	Operator	Version
minio	eq	RELEASE.2018-10-06T00-15-16Z
minio	eq	RELEASE.2018-05-11T00-29-24Z
minio	eq	RELEASE.2019-06-01T03-46-14Z
minio	eq	RELEASE.2018-05-16T23-35-33Z
minio	eq	RELEASE.2018-09-12T18-49-56Z
minio	eq	RELEASE.2018-09-11T01-39-21Z
minio	eq	RELEASE.2019-12-30T05-45-39Z
minio	eq	RELEASE.2021-02-11T08-23-43Z
minio	eq	release-1434511043
minio	eq	RELEASE.2016-08-21T02-44-47Z