CVE-2024-24747

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776	Patch
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z	Patch Release Notes
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*

History

09 Feb 2024, 15:18

Type	Values Removed	Values Added
First Time		Minio minio Minio
CPE		cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~() https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 -~~	() https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 - Exploit, Patch, Vendor Advisory
References	~~() https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 -~~	() https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 - Patch
References	~~() https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z -~~	() https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z - Patch, Release Notes

31 Jan 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-31 22:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-24747

Mitre link : CVE-2024-24747

CVE.ORG link : CVE-2024-24747

JSON object : View

Products Affected

minio

minio

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2024-24747", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-01-31T22:15:54.813", "references": [{"url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": ["Patch", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z."}, {"lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino tambi\u00e9n para acciones `admin:*`. Lo que significa que, a menos que en alg\u00fan lugar superior de la jerarqu\u00eda de claves de acceso se denieguen los derechos de \"administrador\", las claves de acceso podr\u00e1n simplemente anular sus propios permisos \"s3\" por algo m\u00e1s permisivo. La vulnerabilidad se solucion\u00f3 en RELEASE.2024-01-31T20-20-33Z."}], "lastModified": "2024-02-09T15:18:00.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67E9B6B4-7A63-40A3-B815-3ADCA52DE423"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}