CVE-2021-21362 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone using MinIO multi-users is impacted. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1664	minio	2021.02.19-1	2021.03.04-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
13 Mar 2021	ASA-202103-5	AVG-1664	minio	Medium	access restriction bypass

References
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v https://github.com/minio/minio/pull/11682 https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482