CVE-2021-21287
MinIO Server-Side Request Forgery Vulnerability
Description
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.
INFO
Published Date :
Feb. 1, 2021, 6:15 p.m.
Last Modified :
Feb. 5, 2021, 8:44 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
4.0
Exploitability Score :
3.1
Public PoC/Exploit Available at Github
CVE-2021-21287 has a 16 public PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2021-21287.
| URL | Resource |
|---|---|
| https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 | Patch Third Party Advisory |
| https://github.com/minio/minio/pull/11337 | Patch Third Party Advisory |
| https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z | Release Notes Third Party Advisory |
| https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q | Third Party Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
None
CSS HTML JavaScript
读过的安全文章离线归档 | begin in 2023.11.23
cloud-security cloudsecurity ctf ctf-writeups cybersecurity awd awdplus
C
poc集合(持续更新ing)
在公网收集的gobypoc+部分自己加的poc
A Common Vulnerability PoC Knowledge Base一个普遍漏洞POC知识库
vulnerability
None
炼石计划@渗透攻防宇宙,本星球我们不仅专注渗透攻防测试中的点点滴滴,又横向扩展学习代码基础与PHP/Java代码审计基础。两者相辅相成,只为更好的成长。
收录go语言编写的项目、框架和组件出现的cve,或者一些相关的利用方式的文章
cve go security bugbounty exploit poc
一个漏洞POC知识库 目前数量 1000+
poc
安全类各家文库大乱斗
HTML CSS JavaScript Go Python Shell C
None
None
awesome resources about cloud native security 🐿
cloud-native container-security cloud-native-security kubernetes-security container-escape k8s kubernetes container docker docker-security serverless serverless-security cloud-security cloud-computing
Go安全的学习中ing
go
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2021-21287 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2021-21287 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Initial Analysis by [email protected]
Feb. 05, 2021
Action Type Old Value New Value Added CVSS V2 NIST (AV:N/AC:L/Au:S/C:P/I:N/A:N) Added CVSS V3.1 NIST AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Changed Reference Type https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 No Types Assigned https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 Patch, Third Party Advisory Changed Reference Type https://github.com/minio/minio/pull/11337 No Types Assigned https://github.com/minio/minio/pull/11337 Patch, Third Party Advisory Changed Reference Type https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z No Types Assigned https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z Release Notes, Third Party Advisory Changed Reference Type https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q No Types Assigned https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q Third Party Advisory Added CPE Configuration OR *cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* versions up to (excluding) 2021-01-30t00-20-58z
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2021-21287 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2021-21287
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
97.14 }} -0.11%
score
0.99813
percentile