cbcvebase.
CVE-2021-41266
published 2021-11-15

CVE-2021-41266: Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.71%
98.7th percentile
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comminio_console>= 0 < 0.12.30.12.3
minminio_console< 0.12.30.12.3
minioconsole< 0.12.30.12.3

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v1/login/oauth2/auth
othersessionId
othertoken
  • Probe for authentication bypass by sending a POST request to /api/v1/login/oauth2/auth with a dummy JSON body {"code":"test","state":"test"}; a vulnerable instance returns HTTP 200 or 201 with 'sessionId' in the response body and 'token' in the response header.
  • Match response body for the string 'sessionId' AND response header for the string 'token' with HTTP status 200 or 201 to confirm successful authentication bypass.
  • The vulnerability is only exploitable when an external IDP is enabled (CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET, CONSOLE_IDP_CALLBACK environment variables are set). Scope detection efforts to MinIO Operator Console instances with external IDP configured.
  • Affected versions are v0.12.2 and below of MinIO Console. Fingerprint the version to prioritize targets.
  • ·The bypass only works when an external IDP is active. If the environment variables CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET, and CONSOLE_IDP_CALLBACK are unset, the vulnerable code path is not reachable.
  • ·Setting automountServiceAccountToken: false on the operator-console Kubernetes deployment prevents the service account token from being mounted inside the pod, which is a prerequisite for the bypass to yield a usable session.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.