Arch Linux Security Advisory ASA-202102-10
=========================================
Severity: Medium
Date    : 2021-02-06
CVE-ID  : CVE-2021-21287
Package : minio
Type    : directory traversal
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1520

Summary
======
The package minio before version 2021.01.30-1 is vulnerable to
directory traversal.

Resolution
=========
Upgrade to 2021.01.30-1.

# pacman -Syu "minio>=2021.01.30-1"

The problem has been fixed upstream in version 2021.01.30.

Workaround
=========
The browser front-end can be disabled with the "MINIO_BROWSER=off"
environment variable.

Description
==========
In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have
functionality for importing data from a URL, publishing data to a URL,
or otherwise reading data from a URL that can be tampered with. The
attacker modifies the calls to this functionality by supplying a
completely different URL or by manipulating how URLs are built (path
traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the
attacker can abuse functionality on the server to read or update
internal resources. The attacker can supply or modify a URL which the
code running on the server will read or submit data, and by carefully
selecting the URLs, the attacker may be able to read server
configuration such as AWS metadata, connect to internal services like
HTTP enabled databases, or perform post requests towards internal
services which are not intended to be exposed. This is fixed in version
RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a
workaround you can disable the browser front-end with the
"MINIO_BROWSER=off" environment variable.

Impact
=====
A remote attacker can exploit a server-side request forgery
vulnerability to bypass security measures, access sensitive information
and perform privileged actions.

References
=========
https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
https://github.com/minio/minio/pull/11337
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276
https://security.archlinux.org/CVE-2021-21287

ArchLinux: 202102-10: minio: directory traversal

February 12, 2021

Summary

In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with the "MINIO_BROWSER=off" environment variable.

Resolution

Upgrade to 2021.01.30-1. # pacman -Syu "minio>=2021.01.30-1"
The problem has been fixed upstream in version 2021.01.30.

References

https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q https://github.com/minio/minio/pull/11337 https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 https://security.archlinux.org/CVE-2021-21287

Severity
Package : minio
Type : directory traversal
Remote : Yes
Link : https://security.archlinux.org/AVG-1520

Workaround

The browser front-end can be disabled with the "MINIO_BROWSER=off" environment variable.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved