{ "threat_severity" : "Important", "public_date" : "2021-12-27T00:00:00Z", "bugzilla" : { "description" : "minio: user privilege escalation in AddUser() admin API", "id" : "2036252", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2036252" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-863", "details" : [ "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.", "MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API." ], "affected_release" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8", "release_date" : "2022-06-09T00:00:00Z", "advisory" : "RHSA-2022:4956", "cpe" : "cpe:/a:redhat:acm:2.5::el8", "package" : "rhacm2/search-collector-rhel8:v2.5.0-20", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-grafana-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/assisted-installer-agent-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/assisted-installer-reporter-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Will not fix", "package_name" : "rhacm2/assisted-installer-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/cert-policy-controller-rhel9", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/cluster-curator-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/clusterlifecycle-state-metrics-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/config-policy-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/endpoint-monitoring-rhel8-operator", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/governance-policy-propagator-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/governance-policy-spec-sync-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/governance-policy-status-sync-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/governance-policy-template-sync-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/iam-policy-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/managedcluster-import-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/metrics-collector-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicloud-manager-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multiclusterhub-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-application-rhel9", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-channel-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-deployable-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-placementrule-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/multicluster-operators-subscription-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/openshift-hive-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/rcm-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/search-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/subctl-rhel9", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/submariner-rhel8-operator", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/thanos-receive-controller-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/thanos-rhel9", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-43858\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-43858\nhttps://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx" ], "name" : "CVE-2021-43858", "mitigation" : { "value" : "There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.", "lang" : "en:us" }, "csaw" : false }