Privilege Escalation Affecting Open this link in a new tab package, versions <0.0.0-20211223172121-5a96cbbeaabd

  • Attack Complexity


  • Confidentiality


  • Integrity


  • Availability


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    28 Dec 2021

  • disclosed

    28 Dec 2021

  • credit


How to fix?

Upgrade to version 0.0.0-20211223172121-5a96cbbeaabd or higher.

Overview is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Privilege Escalation where a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

Note: Prior knowledge of Admin API calls is needed to come up with an exploit and the user must have valid credentials to access the MinIO service. Also, changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.