Privilege Escalation Affecting github.com/minio/minio/cmd Open this link in a new tab package, versions <0.0.0-20211223172121-5a96cbbeaabd


0.0
high
  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMMINIOMINIOCMD-2327117

  • published

    28 Dec 2021

  • disclosed

    28 Dec 2021

  • credit

    Unknown

How to fix?

Upgrade github.com/minio/minio/cmd to version 0.0.0-20211223172121-5a96cbbeaabd or higher.

Overview

github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Privilege Escalation where a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

Note: Prior knowledge of Admin API calls is needed to come up with an exploit and the user must have valid credentials to access the MinIO service. Also, changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.