Privilege Escalation Affecting github.com/minio/minio/cmd package, versions <0.0.0-20211223172121-5a96cbbeaabd


0.0
high

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.15% (50th percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMINIOMINIOCMD-2327117
  • published 28 Dec 2021
  • disclosed 28 Dec 2021
  • credit Unknown

How to fix?

Upgrade github.com/minio/minio/cmd to version 0.0.0-20211223172121-5a96cbbeaabd or higher.

Overview

github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Privilege Escalation where a malicious client can hand-craft an HTTP API call that allows for updating Policy for a user and gaining higher privileges.

Note: Prior knowledge of Admin API calls is needed to come up with an exploit and the user must have valid credentials to access the MinIO service. Also, changing passwords can be disabled as a workaround for this issue by adding an explicit "Deny" rule to disable the API for users.