// For flags

CVE-2022-24842

Improper Privilege Management in MinIO

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

MinIO es un almacenamiento de objetos de alto rendimiento publicado bajo la Licencia Pública General Affero versión v3.0 de GNU. Se ha encontrado un problema de seguridad en el que un usuario no administrador es capaz de crear cuentas de servicio para el usuario root u otros usuarios administradores y luego es capaz de asumir sus políticas de acceso por medio de las credenciales generadas. Esto, a su vez, permite al usuario escalar sus privilegios a los del usuario root. Esta vulnerabilidad ha sido resuelta en el pull request #14729 y es incluida en 'RELEASE.2022-04-12T06-55-35Z". Los usuarios que no puedan actualizar pueden mitigar este problema al añadir explícitamente una política de denegación "admin:CreateServiceAccount", pero esto, a su vez, deniega al usuario la capacidad de crear sus propias cuentas de servicio

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-04-12 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • 2025-03-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-269: Improper Privilege Management
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Minio
Search vendor "Minio"
 Minio
Search vendor "Minio" for product "Minio"
 >= 2021-12-09t06-19-41z < 2022-04-12t06-55-35z
Search vendor "Minio" for product "Minio" and version " >= 2021-12-09t06-19-41z < 2022-04-12t06-55-35z"
-
Affected