ASA-202103-5: minio: access restriction bypass
Arch Linux Security Advisory ASA-202103-5
========================================
Severity: Medium
Date : 2021-03-13
CVE-ID : CVE-2021-21362
Package : minio
Type : access restriction bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1664
Summary
======
The package minio before version 2021.03.04-1 is vulnerable to access
restriction bypass.
Resolution
=========
Upgrade to 2021.03.04-1.
# pacman -Syu "minio> 21.03.04-1"
The problem has been fixed upstream in version 2021.03.04.
Workaround
=========
Disabling uploads with `Content-Type: multipart/form-data` as mentioned
in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
Description
==========
In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to
bypass a readOnly policy by creating a temporary 'mc share upload' URL.
Everyone using MinIO multi-users is impacted.
As a workaround, one can disable uploads with `Content-Type:
multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.
Impact
=====
A remote attacker can alter a read-only resource via a temporary share
upload URL.
References
=========
https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
https://github.com/minio/minio/pull/11682
https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
https://security.archlinux.org/CVE-2021-21362
A minio security update has been released for Arch Linux.