Summary: | <net-fs/minio-2021.03.04.00.53.13: multiple vulnerabilities (CVE-2021-{21287,21362}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q | ||
Whiteboard: | ~4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-02-02 04:20:19 UTC
CVE-2021-21362: MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with `Content-Type: multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO. |