Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830137

Summary: net-fs/minio: user privilege escalation
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: minor CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-28 04:56:36 UTC 
CVE-2021-43858 (https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf):

MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 03:03:24 UTC 

*** This bug has been marked as a duplicate of bug 850547 ***