CVE-2024-55949 — Improper Privilege Management in Minio Minio

CWE-269 — Improper Privilege Management5 documents4 sources

Severity

9.3CRITICALNVD

EPSS

0.3%

top 46.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Minio Minio Minio

Timeline

PublishedDec 16

Latest updateDec 18

Description

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Gogithub.com/minio_minio0.0.0-20220623162515-580d9db85e04 — 0.0.0-20241213221912-68b004a48f41

▶CVEListV5minio/minio>= RELEASE.2022-06-25T15-50-16Z, < RELEASE.2024-12-13T22-19-12Z

🔴Vulnerability Details

OSV

MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio↗2024-12-18

▶

OSV

MinIO vulnerable to privilege escalation in IAM import API↗2024-12-16

▶

GHSA

MinIO vulnerable to privilege escalation in IAM import API↗2024-12-16

▶

📋Vendor Advisories

Red Hat

minio: Privilege escalation in IAM import API in MinIO↗2024-12-16

▶