Homepage
About Snyk

Privilege Escalation Affecting github.com/minio/minio/cmd package, versions <0.0.0-20211223172121-5a96cbbeaabd

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.15% (52nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMINIOMINIOCMD-2327117
  • published 28 Dec 2021
  • disclosed 28 Dec 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 28 Dec 2021

CVE-2021-43858 Open this link in a new tab
CWE-264 Open this link in a new tab

How to fix?

Upgrade github.com/minio/minio/cmd to version 0.0.0-20211223172121-5a96cbbeaabd or higher.

Overview

github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Privilege Escalation where a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

Note: Prior knowledge of Admin API calls is needed to come up with an exploit and the user must have valid credentials to access the MinIO service. Also, changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high