CVE-2021-21362 log

Severity Medium
Remote Yes
Type Access restriction bypass
In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone using MinIO multi-users is impacted. 
As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.
Group Package Affected Fixed Severity Status Ticket
AVG-1664 minio 2021.02.19-1 2021.03.04-1 Medium Fixed
Date Advisory Group Package Severity Type
13 Mar 2021 ASA-202103-5 AVG-1664 minio Medium access restriction bypass