CVE-2021-43858 : Security Advisory and Response

MinIO is a Kubernetes native application for cloud storage. A vulnerability in versions prior to

RELEASE.2021-12-27T07-23-18Z

allows a malicious client to escalate user privileges by crafting a specific HTTP API call.

Understanding CVE-2021-43858

What is CVE-2021-43858?

CVE-2021-43858 is a privilege escalation vulnerability in MinIO versions before

RELEASE.2021-12-27T07-23-18Z

, allowing unauthorized users to gain elevated permissions.

The Impact of CVE-2021-43858

The vulnerability has a CVSS base score of 8.8 (High severity) due to its potential impact on confidentiality, integrity, and availability. An attacker can exploit the issue over the network with low privileges and no user interaction.

Technical Details of CVE-2021-43858

Vulnerability Description

The flaw enables a malicious client to manipulate an HTTP API call, updating policies for a user and acquiring heightened privileges. The patch in

RELEASE.2021-12-27T07-23-18Z

modifies request body acceptance, preventing policy changes through the API.

Affected Systems and Versions

Product: MinIO
Vendor: MinIO
Versions Affected: Prior to

RELEASE.2021-12-27T07-23-18Z

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Scope: Unchanged

Mitigation and Prevention

Immediate Steps to Take

Upgrade to version

RELEASE.2021-12-27T07-23-18Z

to apply the patch.
Implement the workaround by disabling password changes through an explicit

Deny

rule.

Long-Term Security Practices

Regularly audit and review user privileges and access controls.
Monitor API calls for suspicious activities.
Educate users on best security practices.

Patching and Updates

Ensure timely updates and patches from MinIO to address security vulnerabilities.