CVE-2024-24747: Improper Privilege Management

February 1, 2024

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:* actions, but also admin:* actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able to simply override their own s3 permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

References

github.com/advisories/GHSA-xx8w-mq23-29g4
github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776
github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z
github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4
nvd.nist.gov/vuln/detail/CVE-2024-24747

Code Behaviors & Features

Detect and mitigate CVE-2024-24747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →