CVE-2021-41266 – CVE-2021-41266 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-41266?

CVE-2021-41266 has a CVSS score of 8.6 (HIGH). CVE-2021-41266 is an authentication bypass vulnerability in MinIO Console when external identity provider (IDP) authentication is enabled. Attackers can bypass authentication and gain unauthorized access to the operator console. All MinIO Console users on version 0.12.2 and earlier are affected.

📋 TL;DR

CVE-2021-41266 is an authentication bypass vulnerability in MinIO Console when external identity provider (IDP) authentication is enabled. Attackers can bypass authentication and gain unauthorized access to the operator console. All MinIO Console users on version 0.12.2 and earlier are affected.

💻 Affected Systems

Products:

MinIO Console

Versions: v0.12.2 and earlier

Operating Systems: All platforms running MinIO Console

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when external identity provider (IDP) authentication is enabled via CONSOLE_IDP_* environment variables.

📦 What is this software?

Minio Console by Min

View all CVEs affecting Minio Console →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of MinIO object storage management, allowing attackers to create, modify, or delete storage configurations, access sensitive data, and potentially escalate privileges within the Kubernetes cluster.

🟠

Likely Case

Unauthorized access to MinIO Console administrative interface, enabling configuration changes, user management, and potential data exposure.

🟢

If Mitigated

No impact if external IDP is disabled or proper workarounds are implemented.

🌐 Internet-Facing: HIGH - If MinIO Console is exposed to the internet with external IDP enabled, attackers can easily bypass authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to gain unauthorized console access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass vulnerabilities are typically easy to exploit once discovered. The advisory provides enough technical detail for attackers to develop exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.12.3 or newer

Vendor Advisory: https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36

Restart Required: Yes

Instructions:

1. Update MinIO Console to version 0.12.3 or newer. 2. For Kubernetes deployments, update the operator-console deployment image tag. 3. Restart the MinIO Console service.

🔧 Temporary Workarounds

Disable Service Account Token Mount

kubernetes

Prevent Kubernetes service account token from being mounted in the pod

kubectl patch deployment operator-console -p '{"spec":{"template":{"spec":{"automountServiceAccountToken":false}}}}'

Disable External IDP Authentication

kubernetes

Remove external identity provider configuration

kubectl set env deployment/operator-console CONSOLE_IDP_URL- CONSOLE_IDP_CLIENT_ID- CONSOLE_IDP_SECRET- CONSOLE_IDP_CALLBACK-

🧯 If You Can't Patch

Disable external identity provider authentication by removing all CONSOLE_IDP_* environment variables
Use Kubernetes service account token authentication instead of external IDP

🔍 How to Verify

Check if Vulnerable:

Check MinIO Console version and verify if CONSOLE_IDP_* environment variables are set: kubectl get deployment operator-console -o yaml | grep -A5 -B5 'CONSOLE_IDP_'

Check Version:

kubectl get deployment operator-console -o yaml | grep 'image:' | grep -o 'console:[^ ]*'

Verify Fix Applied:

Verify version is 0.12.3 or newer: kubectl get deployment operator-console -o yaml | grep 'image:'

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to MinIO Console endpoints
Authentication bypass patterns in console logs
Unexpected administrative actions from unauthenticated users

Network Indicators:

Direct access to MinIO Console endpoints without authentication headers
Unusual traffic patterns to console authentication endpoints

SIEM Query:

source="minio-console" AND (event="authentication_bypass" OR (http_status=200 AND auth_method="none"))

📊 Metadata

CVE ID: CVE-2021-41266

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-306

Published: November 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/minio/console/pull/1217 Exploit,Patch,Third Party Advisory
https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36 Issue Tracking,Third Party Advisory
https://github.com/minio/console/pull/1217 Exploit,Patch,Third Party Advisory
https://github.com/minio/console/security/advisories/GHSA-4999-659w-mq36 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41266, you might also want to check these: