7.7
HIGH
CVE-2021-21287
MinIO Server-Side Request Forgery Vulnerability
Description

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.

INFO

Published Date :

Feb. 1, 2021, 6:15 p.m.

Last Modified :

Feb. 5, 2021, 8:44 p.m.

Remotely Exploitable :

Yes !

Impact Score :

4.0

Exploitability Score :

3.1
Public PoC/Exploit Available at Github

CVE-2021-21287 has a 16 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2021-21287 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Minio minio
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2021-21287.

URL Resource
https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 Patch Third Party Advisory
https://github.com/minio/minio/pull/11337 Patch Third Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z Release Notes Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 8 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 24, 2024, 8:03 a.m. This repo has been linked 37 different CVEs too.

None

CSS HTML JavaScript

Updated: 9 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 2, 2024, 2:11 p.m. This repo has been linked 494 different CVEs too.

读过的安全文章离线归档 | begin in 2023.11.23

cloud-security cloudsecurity ctf ctf-writeups cybersecurity awd awdplus

C

Updated: 3 months, 3 weeks ago
11 stars 1 fork 1 watcher
Born at : Nov. 23, 2023, 11:06 a.m. This repo has been linked 6 different CVEs too.

poc集合(持续更新ing)

Updated: 6 months ago
4 stars 0 fork 0 watcher
Born at : July 30, 2023, 1:30 a.m. This repo has been linked 154 different CVEs too.

在公网收集的gobypoc+部分自己加的poc

Updated: 2 months, 1 week ago
96 stars 5 fork 5 watcher
Born at : July 28, 2023, 4:28 p.m. This repo has been linked 296 different CVEs too.

A Common Vulnerability PoC Knowledge Base一个普遍漏洞POC知识库

vulnerability

Updated: 3 months, 4 weeks ago
17 stars 6 fork 6 watcher
Born at : June 24, 2023, 3:12 p.m. This repo has been linked 232 different CVEs too.

None

Updated: 10 months, 1 week ago
4 stars 0 fork 0 watcher
Born at : Aug. 15, 2022, 11:26 a.m. This repo has been linked 35 different CVEs too.

炼石计划@渗透攻防宇宙,本星球我们不仅专注渗透攻防测试中的点点滴滴,又横向扩展学习代码基础与PHP/Java代码审计基础。两者相辅相成,只为更好的成长。

Updated: 1 year, 7 months ago
4 stars 0 fork 0 watcher
Born at : July 11, 2022, 6:59 a.m. This repo has been linked 4 different CVEs too.

收录go语言编写的项目、框架和组件出现的cve,或者一些相关的利用方式的文章

cve go security bugbounty exploit poc

Updated: 3 months, 1 week ago
35 stars 2 fork 2 watcher
Born at : May 4, 2022, 11:32 a.m. This repo has been linked 30 different CVEs too.

一个漏洞POC知识库 目前数量 1000+

poc

Updated: 2 months, 1 week ago
3417 stars 682 fork 682 watcher
Born at : Feb. 20, 2022, 6:43 a.m. This repo has been linked 405 different CVEs too.

安全类各家文库大乱斗

HTML CSS JavaScript Go Python Shell C

Updated: 2 months, 1 week ago
856 stars 214 fork 214 watcher
Born at : Feb. 15, 2022, 3:14 a.m. This repo has been linked 568 different CVEs too.

None

Updated: 2 months, 1 week ago
66 stars 14 fork 14 watcher
Born at : Oct. 13, 2021, 4:56 a.m. This repo has been linked 175 different CVEs too.

None

Updated: 2 years, 2 months ago
1 stars 0 fork 0 watcher
Born at : Sept. 1, 2021, 8:40 a.m. This repo has been linked 24 different CVEs too.

awesome resources about cloud native security 🐿

cloud-native container-security cloud-native-security kubernetes-security container-escape k8s kubernetes container docker docker-security serverless serverless-security cloud-security cloud-computing

Updated: 2 months, 2 weeks ago
303 stars 51 fork 51 watcher
Born at : March 23, 2021, 12:40 p.m. This repo has been linked 37 different CVEs too.

Go安全的学习中ing

go

Updated: 8 months, 2 weeks ago
12 stars 2 fork 2 watcher
Born at : March 4, 2021, 2:59 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2021-21287 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2021-21287 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • Initial Analysis by [email protected]

    Feb. 05, 2021

    Action Type Old Value New Value
    Added CVSS V2 NIST (AV:N/AC:L/Au:S/C:P/I:N/A:N)
    Added CVSS V3.1 NIST AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    Changed Reference Type https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 No Types Assigned https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 Patch, Third Party Advisory
    Changed Reference Type https://github.com/minio/minio/pull/11337 No Types Assigned https://github.com/minio/minio/pull/11337 Patch, Third Party Advisory
    Changed Reference Type https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z No Types Assigned https://github.com/minio/minio/releases/tag/RELEASE.2021-01-30T00-20-58Z Release Notes, Third Party Advisory
    Changed Reference Type https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q No Types Assigned https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q Third Party Advisory
    Added CPE Configuration OR *cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* versions up to (excluding) 2021-01-30t00-20-58z
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2021-21287 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2021-21287 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

96.62 }} -0.42%

score

0.99673

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability