Subject: [ASA-202103-5] minio: access restriction bypass Arch Linux Security Advisory ASA-202103-5 ========================================= Severity: Medium Date : 2021-03-13 CVE-ID : CVE-2021-21362 Package : minio Type : access restriction bypass Remote : Yes Link : https://security.archlinux.org/AVG-1664 Summary ======= The package minio before version 2021.03.04-1 is vulnerable to access restriction bypass. Resolution ========== Upgrade to 2021.03.04-1. # pacman -Syu "minio>=2021.03.04-1" The problem has been fixed upstream in version 2021.03.04. Workaround ========== Disabling uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. Description =========== In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone using MinIO multi-users is impacted. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. Impact ====== A remote attacker can alter a read-only resource via a temporary share upload URL. References ========== https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v https://github.com/minio/minio/pull/11682 https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482 https://security.archlinux.org/CVE-2021-21362