Headline
CVE-2021-41137: Bypassing policy restrictions on regular users
Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.
Affected versions
RELEASE.2021-10-10T16-53-30Z
Patched versions
RELEASE.2021-10-13T00-23-17Z
Impact
All users on release RELEASE.2021-10-10T16-53-30Z are affected.
Patches
commit 415bbc74aacd53a120e54a663e941b1809982dbd
Author: Harshavardhana <[email protected]>
Date: Tue Oct 12 13:18:02 2021 -0700
checkKeyValid() should return owner true for rootCreds (#13422)
Looks like policy restriction was not working properly
for normal users when they are not svc or STS accounts.
- svc accounts are now properly fixed to get
right permissions when its inherited, so
we do not have to set 'owner = true'
- sts accounts have always been using right
permissions, do not need an explicit lookup
- regular users always have proper policy mapping
Users should upgrade to RELEASE.2021-10-13T00-23-17Z if they have upgraded to RELEASE.2021-10-10T16-53-30Z to mitigate this problem.
Workarounds
Users should upgrade to RELEASE.2021-10-13T00-23-17Z
References
- Refer to the PR #13388 which introduced this regression and security issue.
- Refer to the PR #13422 which fixes this issue properly, along with unit tests that capture relevant scenarios.
For more information
If you have any questions or comments about this advisory:
- Open an issue at here
- Email us at security