CVE-2024-55949
published 2024-12-16CVE-2024-55949: MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API…
PriorityP348critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.70%
48.6th percentile
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | minio_minio | >= 0.0.0-20220623162515-580d9db85e04 < 0.0.0-20241213221912-68b004a48f41 | 0.0.0-20241213221912-68b004a48f41 |
| minio | minio | — | — |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio
osv·2024-12-18
CVE-2024-55949 MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio
MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio
MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio
OSV
MinIO vulnerable to privilege escalation in IAM import API
osv·2024-12-16
CVE-2024-55949 [HIGH] MinIO vulnerable to privilege escalation in IAM import API
MinIO vulnerable to privilege escalation in IAM import API
### Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
### Patches
```
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio
GHSA
MinIO vulnerable to privilege escalation in IAM import API
ghsa·2024-12-16
CVE-2024-55949 [HIGH] CWE-269 MinIO vulnerable to privilege escalation in IAM import API
MinIO vulnerable to privilege escalation in IAM import API
### Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
### Patches
```
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio
Red Hat
minio: Privilege escalation in IAM import API in MinIO
vendor_redhat·2024-12-16·CVSS 9.3
CVE-2024-55949 [CRITICAL] CWE-269 minio: Privilege escalation in IAM import API in MinIO
minio: Privilege escalation in IAM import API in MinIO
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
A flaw was found in MinIO. Due to insufficient permissions checking in the IAM import API, a user may be able to change their policy mapping to escalate their privileges via a specially crafted configuration file.
Statement: The affected component is not shipped in any Red Hat produ
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-16
Published