CVE-2024-24747 — Vulnetix

CVE-2024-24747 PUBLISHED

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

EPSS 27.06% · 96.5th percentile

Risk Scores

EPSS Score

27.06%

96.5th percentile

Affected Products

Vendor	Product	Versions
Bitnami	minio	2024.1.31
Bitnami	minio	2024.1.31

Timeline

Jan 21, 1970 Security Advisory
Jan 31, 2024 CVE Published
Feb 8, 2024 EPSS Score
Mar 6, 2024 EPSS Score
Apr 12, 2024 PoC Published
Apr 30, 2024 EPSS Score
May 27, 2024 EPSS Score
Jul 21, 2024 EPSS Score
Aug 17, 2024 EPSS Score
Sep 14, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Nov 7, 2024 EPSS Score

References

https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776 url
https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z url
https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4 url
https://nvd.nist.gov/vuln/detail/CVE-2024-24747 url

Open in Interactive Console →