Home > Vulnerability Database > CVE-2021-41137

Mend.io Vulnerability Database

CVE-2021-41137

Good to know:

Date: October 13, 2021

Minio is a Kubernetes native application for cloud storage. All users on release `RELEASE.2021-10-10T16-53-30Z` are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in `RELEASE.2021-10-13T00-23-17Z`. A downgrade back to release `RELEASE.2021-10-08T23-58-24Z` is available as a workaround.

Language: Go

Severity Score

8.8

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-41137

Url: https://github.com/minio/minio/pull/13388

Url: https://github.com/minio/minio/pull/13422

Url: https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c

Url: https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd

Url: https://www.mend.io/vulnerability-database/CVE-2021-41137

Severity Score

8.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Top Fix

Upgrade Version

Upgrade to version RELEASE.2021-10-13T00-23-17Z

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-41137

Good to know:

Date: October 13, 2021

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?