Lucene search

[email protected]CVE-2022-24842

HistoryApr 12, 2022 - 6:15 p.m.

CVE-2022-24842

2022-04-1218:15:09

CWE-269

[email protected]

web.nvd.nist.gov

118

minio

object storage

privilege escalation

cve-2022-24842

security issue

high performance

gnu affero general public license

nvd

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.1%

JSON

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in RELEASE.2022-04-12T06-55-35Z. Users unable to upgrade may workaround this issue by explicitly adding a admin:CreateServiceAccount deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

Affected configurations

Vulners

NVD

Node

miniominioRange<2022-04-12T06-55-35Z

VendorProductVersionCPE
miniominio*cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
minio	minio	*	cpe:2.3:a:minio:minio::::::::

CNA Affected

[
  {
    "product": "minio",
    "vendor": "minio",
    "versions": [
      {
        "status": "affected",
        "version": "< RELEASE.2022-04-12T06-55-35Z"
      }
    ]
  }
]