Arch Linux 804 Published by

A minio security update has been released for Arch Linux.



ASA-202103-5: minio: access restriction bypass


Arch Linux Security Advisory ASA-202103-5
========================================
Severity: Medium
Date : 2021-03-13
CVE-ID : CVE-2021-21362
Package : minio
Type : access restriction bypass
Remote : Yes
Link :   https://security.archlinux.org/AVG-1664

Summary
======
The package minio before version 2021.03.04-1 is vulnerable to access
restriction bypass.

Resolution
=========
Upgrade to 2021.03.04-1.

# pacman -Syu "minio> 21.03.04-1"

The problem has been fixed upstream in version 2021.03.04.

Workaround
=========
Disabling uploads with `Content-Type: multipart/form-data` as mentioned
in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.

Description
==========
In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to
bypass a readOnly policy by creating a temporary 'mc share upload' URL.
Everyone using MinIO multi-users is impacted.
As a workaround, one can disable uploads with `Content-Type:
multipart/form-data` as mentioned in the S3 API RESTObjectPOST docs by
using a proxy in front of MinIO.

Impact
=====
A remote attacker can alter a read-only resource via a temporary share
upload URL.

References
=========
  https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
  https://github.com/minio/minio/pull/11682
  https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
  https://security.archlinux.org/CVE-2021-21362