CVE-2024-24747

MinIO unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

MinIO es un almacenamiento de objetos de alto rendimiento. Cuando alguien crea una clave de acceso, hereda los permisos de la clave principal. No solo para acciones `s3:*`, sino también para acciones `admin:*`. Lo que significa que, a menos que en algún lugar superior de la jerarquía de claves de acceso se denieguen los derechos de "administrador", las claves de acceso podrán simplemente anular sus propios permisos "s3" por algo más permisivo. La vulnerabilidad se solucionó en RELEASE.2024-01-31T20-20-33Z.

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-29 CVE Reserved
2024-01-31 CVE Published
2024-04-12 First Exploit
2024-08-01 CVE Updated
2025-02-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-269: Improper Privilege Management

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC
https://packetstorm.news/files/id/178031	2024-04-12
https://www.exploit-db.com/exploits/51976	2024-04-12
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4	2024-08-01

URL	Date	SRC
https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776	2024-02-09
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z	2024-02-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Minio Search vendor "Minio"		Minio Search vendor "Minio" for product "Minio"				2024-01-31t20-20-33z Search vendor "Minio" for product "Minio" and version "2024-01-31t20-20-33z"		-		Affected