Login Sign Up

CVE-2021-21287

7.7 HIGH
SSRF

📋 TL;DR

This CVE describes a server-side request forgery (SSRF) vulnerability in MinIO object storage software. Attackers can manipulate URL parameters to make the server send requests to internal systems, potentially accessing sensitive data or internal services. All MinIO deployments before version RELEASE.2021-01-30T00-20-58Z are affected.

💻 Affected Systems

Products:
  • MinIO
Versions: All versions before RELEASE.2021-01-30T00-20-58Z
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects MinIO deployments with the browser front-end enabled (default configuration).

📦 What is this software?

Minio by Minio

View all CVEs affecting Minio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal infrastructure including access to cloud metadata services, internal databases, and internal APIs, potentially leading to data exfiltration or lateral movement.

🟠

Likely Case

Information disclosure of internal services, AWS metadata, or configuration data that could enable further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only revealing non-sensitive information.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SSRF vulnerabilities are commonly exploited and tooling exists for automated exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2021-01-30T00-20-58Z or later

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q

Restart Required: Yes

Instructions:

1. Backup your MinIO configuration and data. 2. Stop the MinIO service. 3. Download and install version RELEASE.2021-01-30T00-20-58Z or later from the official MinIO releases. 4. Restart the MinIO service. 5. Verify the version is updated.

🔧 Temporary Workarounds

Disable Browser Front-end

all

Disables the vulnerable browser interface component

export MINIO_BROWSER=off
minio server /data

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate MinIO instances from internal networks
  • Deploy web application firewall (WAF) rules to block SSRF patterns and restrict URL parameters

🔍 How to Verify

Check if Vulnerable:

Check MinIO version: if version is older than RELEASE.2021-01-30T00-20-58Z, system is vulnerable

Check Version:

minio version

Verify Fix Applied:

Confirm version is RELEASE.2021-01-30T00-20-58Z or newer and test SSRF attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL patterns in requests
  • Requests to internal IP addresses or metadata endpoints
  • Error responses from internal services

Network Indicators:

  • Outbound connections from MinIO server to internal services
  • Requests to cloud metadata endpoints (169.254.169.254)

SIEM Query:

source="minio" AND (url="*metadata*" OR url="*169.254*" OR url="*localhost*" OR url="*127.0.0.1*")

📊 Metadata

CVE ID: CVE-2021-21287
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-918
Published: February 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21287, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)