Improper Privilege Management in MinIO
CVE-2022-24842

8.8HIGH

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 12 April 2022

What is CVE-2022-24842?

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

Affected Version(s)

minio < RELEASE.2022-04-12T06-55-35Z

References

https://github.com/minio/minio/security/advisories/GHSA-2...

x_refsource_CONFIRM

https://github.com/minio/minio/pull/14729

x_refsource_MISC

https://github.com/minio/minio/commit/66b14a0d32684d527ae...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2022
Vulnerability Reserved
Feb 10, 2022

Minio

What is CVE-2022-24842?

Affected Version(s)

References

CVSS V3.1

Timeline