CVE-2021-43858 – CVE-2021-43858 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-43858?

CVE-2021-43858 has a CVSS score of 8.8 (HIGH). CVE-2021-43858 is a privilege escalation vulnerability in MinIO cloud storage software where a malicious client can craft HTTP API calls to update user policies and gain higher privileges. This affects all MinIO deployments prior to version RELEASE.2021-12-27T07-23-18Z. Attackers with existing user access can elevate their permissions to potentially administrative levels.

📋 TL;DR

CVE-2021-43858 is a privilege escalation vulnerability in MinIO cloud storage software where a malicious client can craft HTTP API calls to update user policies and gain higher privileges. This affects all MinIO deployments prior to version RELEASE.2021-12-27T07-23-18Z. Attackers with existing user access can elevate their permissions to potentially administrative levels.

💻 Affected Systems

Products:

MinIO

Versions: All versions prior to RELEASE.2021-12-27T07-23-18Z

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All MinIO deployments using the affected versions are vulnerable regardless of configuration. The vulnerability exists in the API endpoint handling.

📦 What is this software?

Minio by Minio

View all CVEs affecting Minio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full administrative control over the MinIO instance, allowing them to read, modify, or delete all stored data, create new users, and reconfigure the entire system.

🟠

Likely Case

An attacker with standard user access elevates privileges to perform unauthorized operations on buckets and objects they shouldn't have access to, potentially exfiltrating sensitive data.

🟢

If Mitigated

With proper network segmentation and least privilege access, impact is limited to the specific MinIO instance and its data, though privilege escalation within that system remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but involves simple HTTP API manipulation. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2021-12-27T07-23-18Z

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx

Restart Required: Yes

Instructions:

1. Stop MinIO service. 2. Backup configuration and data. 3. Update to version RELEASE.2021-12-27T07-23-18Z or later. 4. Restart MinIO service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable password change API

all

Add explicit Deny rule to disable the vulnerable API endpoint for users

Add policy rule: {"Effect": "Deny", "Action": ["admin:SetPolicy"], "Resource": ["arn:aws:s3:::*"]}

🧯 If You Can't Patch

Implement network segmentation to restrict access to MinIO API endpoints
Apply strict IAM policies with least privilege and monitor for policy change attempts

🔍 How to Verify

Check if Vulnerable:

Check MinIO version with: minio version | grep -E 'RELEASE\.2021-12-27T07-23-18Z' - if not found and version is older, system is vulnerable.

Check Version:

minio version

Verify Fix Applied:

Verify version is RELEASE.2021-12-27T07-23-18Z or newer: minio version

📡 Detection & Monitoring

Log Indicators:

Unusual admin:SetPolicy API calls
Policy changes from non-admin users
Multiple failed privilege escalation attempts

Network Indicators:

HTTP POST requests to /minio/admin/v3/set-policy endpoint with crafted payloads

SIEM Query:

source="minio" AND (action="admin:SetPolicy" OR message="policy change" OR status="403" AND method="POST" AND path="/minio/admin/v3/set-policy")

📊 Metadata

CVE ID: CVE-2021-43858

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf Patch,Third Party Advisory
https://github.com/minio/minio/pull/13976 Patch,Third Party Advisory
https://github.com/minio/minio/pull/7949 Patch,Third Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z Release Notes,Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx Patch,Third Party Advisory
https://github.com/minio/minio/commit/5a96cbbeaabd0a82b0fe881378e7c21c85091abf Patch,Third Party Advisory
https://github.com/minio/minio/pull/13976 Patch,Third Party Advisory
https://github.com/minio/minio/pull/7949 Patch,Third Party Advisory
https://github.com/minio/minio/releases/tag/RELEASE.2021-12-27T07-23-18Z Release Notes,Third Party Advisory
https://github.com/minio/minio/security/advisories/GHSA-j6jc-jqqc-p6cx Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43858, you might also want to check these: