CVE-2024-24747 - Vulnerability Details - OpenCVE

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.24536.

Key SSVC decision points have not yet been added.

Vendors	Products
Minio	Minio

Configuration 1 [-]

cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-xx8w-mq23-29g4	Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-31T22:10:23.375Z

Updated: 2024-08-01T23:28:11.919Z

Reserved: 2024-01-29T20:51:26.009Z

Link: CVE-2024-24747

Vulnrichment

Updated: 2024-08-01T23:28:11.919Z

NVD

Status : Modified

Published: 2024-01-31T22:15:54.813

Modified: 2024-11-21T08:59:36.850

Link: CVE-2024-24747

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24747", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-29T20:51:26.009Z", "datePublished": "2024-01-31T22:10:23.375Z", "dateUpdated": "2024-08-01T23:28:11.919Z"}, "containers": {"cna": {"title": "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"}, {"name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": ["x_refsource_MISC"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"version": "< RELEASE.2024-01-31T20-20-33Z", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-31T22:10:23.375Z"}, "descriptions": [{"lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z."}], "source": {"advisory": "GHSA-xx8w-mq23-29g4", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "minio", "product": "minio", "cpes": ["cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "RELEASE.2024-01-31T20-20-33Z", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-09T04:00:49.594536Z", "id": "CVE-2024-24747", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:14:48.455Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.919Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"}, {"name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"}, {"name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:11.919Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24747", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-09T04:00:49.594536Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*"], "vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": "0", "lessThan": "RELEASE.2024-01-31T20-20-33Z", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T12:55:06.617Z"}}], "cna": {"title": "MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation", "source": {"advisory": "GHSA-xx8w-mq23-29g4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "minio", "product": "minio", "versions": [{"status": "affected", "version": "< RELEASE.2024-01-31T20-20-33Z"}]}], "references": [{"url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "name": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "name": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "name": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-31T22:10:23.375Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24747", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:11.919Z", "dateReserved": "2024-01-29T20:51:26.009Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-31T22:10:23.375Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minio:minio:2024-01-31t20-20-33z:*:*:*:*:*:*:*", "matchCriteriaId": "67E9B6B4-7A63-40A3-B815-3ADCA52DE423", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z."}, {"lang": "es", "value": "MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino tambi\u00e9n para acciones `admin:*`. Lo que significa que, a menos que en alg\u00fan lugar superior de la jerarqu\u00eda de claves de acceso se denieguen los derechos de \"administrador\", las claves de acceso podr\u00e1n simplemente anular sus propios permisos \"s3\" por algo m\u00e1s permisivo. La vulnerabilidad se solucion\u00f3 en RELEASE.2024-01-31T20-20-33Z."}], "id": "CVE-2024-24747", "lastModified": "2024-11-21T08:59:36.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-31T22:15:54.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes"], "url": "https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}