CVE-2024-24747

2024-01-3122:15:54

CWE-269

[email protected]

web.nvd.nist.gov

minio

high performance

object storage

access key

permissions

vulnerability

cve-2024-24747

nvd

security

release

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.2%

JSON

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:* actions, but also admin:* actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able to simply override their own s3 permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

Affected configurations

Vulners

NVD

Node

miniominioRange<2024-01-31T20-20-33Z

VendorProductVersionCPE
miniominio*cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
minio	minio	*	cpe:2.3:a:minio:minio::::::::

CNA Affected

[
  {
    "vendor": "minio",
    "product": "minio",
    "versions": [
      {
        "version": "< RELEASE.2024-01-31T20-20-33Z",
        "status": "affected"
      }
    ]
  }
]