x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362

[tatianab]

CVE-2021-21362 references github.com/minio/minio, which may be a Go module.

Description:
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses MinIO multi-users. This is fixed in version RELEASE.2021-03-04T00-53-13Z. As a workaround, one can disable uploads with Content-Type: multipart/form-data as mentioned in the S3 API RESTObjectPOST docs by using a proxy in front of MinIO.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-21362
• advisory: GHSA-hq5j-6r98-9m8v
• fix: fix: missing user policy enforcement in PostPolicyHandler minio/minio#11682
• fix: minio/minio@039f59b
• web: https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z
• Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby

Cross references:

• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/minio/minio
      vulnerable_at: 0.0.0-20231108174705-15137d032704
      packages:
        - package: minio
cves:
    - CVE-2021-21362
references:
    - advisory: https://github.com/minio/minio/security/advisories/GHSA-hq5j-6r98-9m8v
    - fix: https://github.com/minio/minio/pull/11682
    - fix: https://github.com/minio/minio/commit/039f59b552319fcc2f83631bb421a7d4b82bc482
    - web: https://github.com/minio/minio/releases/tag/RELEASE.2021-03-04T00-53-13Z

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports