Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-41266Missing Authentication for Critical Function in Console

CWE-306Missing Authentication for Critical Function6 documents5 sources
Severity
9.8CRITICALNVD
VulnCheck8.6
EPSS
86.2%
top 0.59%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Minio ConsoleGithub.com Minio ConsoleMIN Minio Console
Timeline
PublishedNov 15
Latest updateAug 21

Description

Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will g

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5minio/console< 0.12.3
NVDmin/minio_console< 0.12.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Authentication bypass issue in the Operator Console in github.com/minio/console2024-08-21
GHSA
Authentication bypass issue in the Operator Console2021-11-15
OSV
Authentication bypass issue in the Operator Console2021-11-15
VulnCheck
min minio_console Missing Authentication for Critical Function2021

💥Exploits & PoCs

1
Nuclei
MinIO Operator Console Authentication Bypass