Skip to content

Bypassing policy restrictions on regular users

High
harshavardhana published GHSA-v64v-g97p-577c Oct 13, 2021

Package

gomod MinIO (Go)

Affected versions

RELEASE.2021-10-10T16-53-30Z

Patched versions

RELEASE.2021-10-13T00-23-17Z

Description

Impact

All users on release RELEASE.2021-10-10T16-53-30Z are affected.

Patches

commit 415bbc74aacd53a120e54a663e941b1809982dbd
Author: Harshavardhana <harsha@minio.io>
Date:   Tue Oct 12 13:18:02 2021 -0700

    checkKeyValid() should return owner true for rootCreds (#13422)
    
    Looks like policy restriction was not working properly
    for normal users when they are not svc or STS accounts.
    
    - svc accounts are now properly fixed to get
      right permissions when its inherited, so
      we do not have to set 'owner = true'
    
    - sts accounts have always been using right
      permissions, do not need an explicit lookup
    
    - regular users always have proper policy mapping

Users should upgrade to RELEASE.2021-10-13T00-23-17Z if they have upgraded to RELEASE.2021-10-10T16-53-30Z to mitigate this problem.

Workarounds

Users should upgrade to RELEASE.2021-10-13T00-23-17Z

References

  • Refer to the PR #13388 which introduced this regression and security issue.
  • Refer to the PR #13422 which fixes this issue properly, along with unit tests that capture relevant scenarios.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-41137

Weaknesses

No CWEs

Credits