CVE-2021-41137 - log back

CVE-2021-41137 edited at 13 Oct 2021 16:35:37
Description
- All users on Minio release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z.
+ All users on MinIO release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z.
CVE-2021-41137 edited at 13 Oct 2021 16:35:03
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Access restriction bypass
Description
+ All users on Minio release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z.
References
+ https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c
+ https://github.com/minio/minio/pull/13388
+ https://github.com/minio/minio/pull/13422
+ https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
Notes
CVE-2021-41137 created at 13 Oct 2021 16:32:21