CVE-2021-41137

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid() should return owner true for rootCreds. In the affected version, policy restriction did not work properly for users who did not have service (svc) or security token service (STS) accounts. This issue is fixed in RELEASE.2021-10-13T00-23-17Z. A downgrade back to release RELEASE.2021-10-08T23-58-24Z is available as a workaround.

Published: Oct 13, 2021
Updated: May 4, 2025
CVE: CVE-2021-41137
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
minio / minio	2021-10-10t16-53-30z	2021-10-10t16-53-30z.x

https://github.com/minio/minio/commit/415bbc74aacd53a120e54a663e941b1809982dbd
https://github.com/minio/minio/pull/13388
https://github.com/minio/minio/pull/13422
https://github.com/minio/minio/security/advisories/GHSA-v64v-g97p-577c

Vulnerability Database

CVE-2021-41137

Deep Security Visibility Without the Complexity