CVE-2021-21287
published 2021-02-01CVE-2021-21287: MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side…
PriorityP265high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EXPLOIT
EPSS
24.78%
97.6th percentile
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| minio | minio | < RELEASE.2021-01-30T00-20-58Z | RELEASE.2021-01-30T00-20-58Z |
| minio | minio | < 2021-01-30t00-20-58z | 2021-01-30t00-20-58z |
Detection & IOCsextracted from sources · hover to see the quote
url/minio/webrpc
command{"id":1,"jsonrpc":"2.0","params":{"token": "Test"},"method":"web.LoginSTS"}
- →Exploit sends a POST request to /minio/webrpc with a JSON-RPC payload invoking web.LoginSTS method; look for this endpoint being called with an external/OAST-controlled Host header to confirm SSRF.
- →Identify exposed MinIO instances via Shodan/FOFA queries targeting page titles 'minio browser' or 'minio console', or the minio CPE.
- →The vulnerability is in the MinIO Browser front-end API; disabling the browser with the environment variable MINIO_BROWSER=off mitigates the attack surface. ↗
- ·The vulnerability affects MinIO versions prior to RELEASE.2021-01-30T00-20-58Z; only instances running older releases are exploitable. ↗
- ·The SSRF is triggered through the MinIO Browser API (web.LoginSTS JSON-RPC method); instances with the browser front-end disabled are not affected.
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
MinIO Browser API - Server-Side Request Forgery
nuclei·CVSS 7.7
CVE-2021-21287 [HIGH] MinIO Browser API - Server-Side Request Forgery
MinIO Browser API - Server-Side Request Forgery
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.
Template:
id: CVE-2021-21287
info:
name: MinIO Browser API - Server-Side Request Forgery
author: pikpikcu
severity: high
description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to make arbitrary requests on behalf of the server, potentially leading to unauthorized access or data leakage.
remediation: |
Apply the latest security patches or updates provided by MinIO to fix this vulnerability.
reference:
- https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
-
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276https://github.com/minio/minio/pull/11337https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Zhttps://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693qhttps://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276https://github.com/minio/minio/pull/11337https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Zhttps://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q
2021-02-01
Published