Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-24747Improper Privilege Management in Minio

CWE-269Improper Privilege Management5 documents4 sources
Severity
8.8HIGHNVD
EPSS
27.1%
top 3.61%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
MinioGithub.com Minio Minio
Timeline
PublishedJan 31
Latest updateJun 28

Description

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5minio/minio< RELEASE.2024-01-31T20-20-33Z
Gogithub.com/minio_minio< 0.0.0-20240131185645-0ae4915a9391
NVDminio/minio2024-01-31t20-20-33z

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio2024-06-28
GHSA
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation2024-02-01
OSV
Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation2024-02-01

💥Exploits & PoCs

1
Exploit-DB
MinIO < 2024-01-31T20-20-33Z - Privilege Escalation2024-04-12