Inherited Permissions Vulnerability in MinIO Could Allow Overriding of Access Controls
CVE-2024-24747

8.8HIGH

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 31 January 2024

What is CVE-2024-24747?

A vulnerability in MinIO High Performance Object Storage exists due to a design flaw in the access key creation process. When a new access key is generated, it inherits permissions from its parent key, including potentially unauthorized admin privileges. This design flaw could allow users to escalate their permissions beyond intended limits, especially if the parent access key is not configured to restrict admin rights. The issue poses a significant risk, as it can lead to unauthorized access and manipulation of critical data stored in object storage systems. A patch addressing this vulnerability has been released in version RELEASE.2024-01-31T20-20-33Z.

Affected Version(s)

minio < RELEASE.2024-01-31T20-20-33Z

References

https://github.com/minio/minio/security/advisories/GHSA-x...

x_refsource_CONFIRM

https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec...

x_refsource_MISC

https://github.com/minio/minio/releases/tag/RELEASE.2024-...

x_refsource_MISC

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 31, 2024
Vulnerability Reserved
Jan 29, 2024

Minio

What is CVE-2024-24747?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline