CVE-2021-41266
published 2021-11-15CVE-2021-41266: Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.71%
98.7th percentile
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_console | >= 0 < 0.12.3 | 0.12.3 |
| min | minio_console | < 0.12.3 | 0.12.3 |
| minio | console | < 0.12.3 | 0.12.3 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/v1/login/oauth2/auth
othersessionId
othertoken
- →Probe for authentication bypass by sending a POST request to /api/v1/login/oauth2/auth with a dummy JSON body {"code":"test","state":"test"}; a vulnerable instance returns HTTP 200 or 201 with 'sessionId' in the response body and 'token' in the response header.
- →Match response body for the string 'sessionId' AND response header for the string 'token' with HTTP status 200 or 201 to confirm successful authentication bypass.
- →The vulnerability is only exploitable when an external IDP is enabled (CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET, CONSOLE_IDP_CALLBACK environment variables are set). Scope detection efforts to MinIO Operator Console instances with external IDP configured. ↗
- →Affected versions are v0.12.2 and below of MinIO Console. Fingerprint the version to prioritize targets. ↗
- ·The bypass only works when an external IDP is active. If the environment variables CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET, and CONSOLE_IDP_CALLBACK are unset, the vulnerable code path is not reachable. ↗
- ·Setting automountServiceAccountToken: false on the operator-console Kubernetes deployment prevents the service account token from being mounted inside the pod, which is a prerequisite for the bypass to yield a usable session. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authentication bypass issue in the Operator Console in github.com/minio/console
osv·2024-08-21
CVE-2021-41266 Authentication bypass issue in the Operator Console in github.com/minio/console
Authentication bypass issue in the Operator Console in github.com/minio/console
Authentication bypass issue in the Operator Console in github.com/minio/console
GHSA
Authentication bypass issue in the Operator Console
ghsa·2021-11-15
CVE-2021-41266 [HIGH] CWE-306 Authentication bypass issue in the Operator Console
Authentication bypass issue in the Operator Console
During an internal security audit, we detected an authentication bypass issue in the Operator Console when an external IDP is enabled. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.
### Impact
All users on release v0.12.2 and before are affected.
### Patches
This issue was fixed by PR https://github.com/minio/console/pull/1217, users should upgrade to latest release.
### Workarounds
Add `automountServiceAccountToken: false` to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset
OSV
Authentication bypass issue in the Operator Console
osv·2021-11-15
CVE-2021-41266 [HIGH] Authentication bypass issue in the Operator Console
Authentication bypass issue in the Operator Console
During an internal security audit, we detected an authentication bypass issue in the Operator Console when an external IDP is enabled. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are advised to upgrade ASAP.
### Impact
All users on release v0.12.2 and before are affected.
### Patches
This issue was fixed by PR https://github.com/minio/console/pull/1217, users should upgrade to latest release.
### Workarounds
Add `automountServiceAccountToken: false` to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset
VulnCheck
min minio_console Missing Authentication for Critical Function
vulncheck·2021·CVSS 8.6
CVE-2021-41266 [HIGH] min minio_console Missing Authentication for Critical Function
min minio_console Missing Authentication for Critical Function
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes s
No detection rules found.
Nuclei
MinIO Operator Console Authentication Bypass
nuclei·CVSS 9.8
CVE-2021-41266 [CRITICAL] MinIO Operator Console Authentication Bypass
MinIO Operator Console Authentication Bypass
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
Template:
id: CVE-2021-41266
info:
name: MinIO Operator Console Authentication Bypass
author: alevsk
severity: critical
description: |
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
impact: |
An attacker can bypass authentication and gain unauthorized access to the MinIO Operator Console.
remediation: '
No writeups or analysis indexed.
2021-11-15
Published
Exploited in the wild