CVE-2024-24747

MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation

CVSS 8.8 HIGHEPSS 34.1%CWE-269

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

minio · minio

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/51976unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4