CVE - CVE-2021-21287

CVE-ID
CVE-2021-21287	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q URL:https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q MISC:https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 URL:https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 MISC:https://github.com/minio/minio/pull/11337 URL:https://github.com/minio/minio/pull/11337 MISC:https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z URL:https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201222	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201222)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)