cve-2024-24747
Vulnerability from cvelistv5
Published
2024-01-31 22:10
Modified
2024-08-01 23:28
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
References
security-advisories@github.comhttps://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776Patch
security-advisories@github.comhttps://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33ZPatch, Release Notes
security-advisories@github.comhttps://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33ZPatch, Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4Exploit, Patch, Vendor Advisory
Impacted products
Vendor Product Version
minio minio Version: < RELEASE.2024-01-31T20-20-33Z
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "minio",
                  vendor: "minio",
                  versions: [
                     {
                        lessThan: "RELEASE.2024-01-31T20-20-33Z",
                        status: "affected",
                        version: "0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-24747",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-05-09T04:00:49.594536Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-06T14:14:48.455Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T23:28:11.919Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
               },
               {
                  name: "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
               },
               {
                  name: "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "minio",
               vendor: "minio",
               versions: [
                  {
                     status: "affected",
                     version: "< RELEASE.2024-01-31T20-20-33Z",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-269",
                     description: "CWE-269: Improper Privilege Management",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-31T22:10:23.375Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4",
            },
            {
               name: "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776",
            },
            {
               name: "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z",
            },
         ],
         source: {
            advisory: "GHSA-xx8w-mq23-29g4",
            discovery: "UNKNOWN",
         },
         title: "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-24747",
      datePublished: "2024-01-31T22:10:23.375Z",
      dateReserved: "2024-01-29T20:51:26.009Z",
      dateUpdated: "2024-08-01T23:28:11.919Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"67E9B6B4-7A63-40A3-B815-3ADCA52DE423\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.\"}, {\"lang\": \"es\", \"value\": \"MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino tambi\\u00e9n para acciones `admin:*`. Lo que significa que, a menos que en alg\\u00fan lugar superior de la jerarqu\\u00eda de claves de acceso se denieguen los derechos de \\\"administrador\\\", las claves de acceso podr\\u00e1n simplemente anular sus propios permisos \\\"s3\\\" por algo m\\u00e1s permisivo. La vulnerabilidad se solucion\\u00f3 en RELEASE.2024-01-31T20-20-33Z.\"}]",
         id: "CVE-2024-24747",
         lastModified: "2024-11-21T08:59:36.850",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
         published: "2024-01-31T22:15:54.813",
         references: "[{\"url\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Release Notes\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Release Notes\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}]",
         sourceIdentifier: "security-advisories@github.com",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-24747\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-01-31T22:15:54.813\",\"lastModified\":\"2024-11-21T08:59:36.850\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.\"},{\"lang\":\"es\",\"value\":\"MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino también para acciones `admin:*`. Lo que significa que, a menos que en algún lugar superior de la jerarquía de claves de acceso se denieguen los derechos de \\\"administrador\\\", las claves de acceso podrán simplemente anular sus propios permisos \\\"s3\\\" por algo más permisivo. La vulnerabilidad se solucionó en RELEASE.2024-01-31T20-20-33Z.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67E9B6B4-7A63-40A3-B815-3ADCA52DE423\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Release Notes\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"name\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"name\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:11.919Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24747\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-09T04:00:49.594536Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\"], \"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"RELEASE.2024-01-31T20-20-33Z\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-09T12:55:06.617Z\"}}], \"cna\": {\"title\": \"MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation\", \"source\": {\"advisory\": \"GHSA-xx8w-mq23-29g4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"< RELEASE.2024-01-31T20-20-33Z\"}]}], \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"name\": \"https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"name\": \"https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269: Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-01-31T22:10:23.375Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-24747\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T23:28:11.919Z\", \"dateReserved\": \"2024-01-29T20:51:26.009Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-01-31T22:10:23.375Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.