Skip to content

Bypassing readOnly policy by creating a temporary 'mc share upload' URL

Moderate
harshavardhana published GHSA-hq5j-6r98-9m8v Mar 4, 2021

Package

MinIO

Affected versions

< RELEASE.2021-03-04T00-53-13Z

Patched versions

RELEASE.2021-03-04T00-53-13Z

Description

Impact

Everyone is impacted who uses MinIO multi-users.

Patches

Users are advised to upgrade to RELEASE.2021-03-04T00-53-13Z to fix this problem.

The problem is sufficiently addressed by this PR #11682

Workarounds

Disable uploads with Content-Type: multipart/form-data as mentioned in the S3 API https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html by using a proxy in front of MinIO.

References

This issue was directly reported to us at security@minio.io and successfully reproduced by @vonera

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-21362

Weaknesses

No CWEs

Credits