CVE-2021-41266: 
vulnerability analysis and mitigation

Minio console, a graphical user interface for the MinIO operator, contained an authentication bypass vulnerability (CVE-2021-41266) when an external IDP was enabled. The vulnerability affected all versions prior to v0.12.3 and was discovered during an internal security audit. The issue was fixed in version 0.12.3, released in November 2021 (GitHub Advisory).

The vulnerability was identified as a critical authentication bypass issue in the Operator Console component when external Identity Provider (IDP) authentication was enabled. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 8.6 (HIGH) from GitHub, indicating its severe nature. The issue was classified under CWE-306 (Missing Authentication for Critical Function) (NVD).

The vulnerability could allow an unauthorized attacker to bypass authentication mechanisms in the Operator Console when external IDP was enabled, potentially gaining unauthorized access to the management interface. This could lead to unauthorized control over the MinIO operator functionality (GitHub Advisory).

The primary mitigation is to upgrade to version 0.12.3 or newer. For users unable to upgrade, a workaround is available: add automountServiceAccountToken: false to the operator-console deployment in Kubernetes to prevent service account token mounting, and disable external identity provider authentication by unsetting CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variables. Users should instead use the Kubernetes service account token (GitHub Advisory).