Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-55949

Опубликовано: 16 дек. 2024
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f. This issue has been addressed in commit f246c9053f9603e610d98439799bdd2a6b293427 which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

A flaw was found in MinIO. Due to insufficient permissions checking in the IAM import API, a user may be able to change their policy mapping to escalate their privileges via a specially crafted configuration file.

Отчет

The affected component is not shipped in any Red Hat products.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/logging-loki-rhel9Not affected
OpenShift API for Data Protectionoadp/oadp-mustgather-rhel8Not affected
OpenShift API for Data Protectionoadp/oadp-rhel8-operatorNot affected
OpenShift API for Data Protectionoadp/oadp-velero-plugin-for-csi-rhel8Not affected
OpenShift API for Data Protectionoadp/oadp-velero-restic-restore-helper-rhel8Not affected
OpenShift API for Data Protectionoadp/oadp-velero-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/thanos-rhel7Not affected
Red Hat Advanced Cluster Management for Kubernetes 2volsync-containerNot affected
Red Hat Ceph Storage 6rhceph/rhceph-promtail-rhel9Not affected
Red Hat Ceph Storage 7rhceph/rhceph-promtail-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-269
https://bugzilla.redhat.com/show_bug.cgi?id=2332681minio: Privilege escalation in IAM import API in MinIO

EPSS

Процентиль: 45%
0.0022
Низкий

8.1 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-55949

nvd
9 месяцев назад

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

debian логотип

CVE-2024-55949

debian
9 месяцев назад

MinIO is a high-performance, S3 compatible object store, open sourced ...

github логотип

GHSA-cwq8-g58r-32hg

github
9 месяцев назад

MinIO vulnerable to privilege escalation in IAM import API

fstec логотип

BDU:2024-11410

CVSS3: 9.1
fstec
9 месяцев назад

Уязвимость сервера хранения объектов MinIO, связанная с небезопасным управлением привилегиями, позволяющая нарушителю повысить свои привилегии до уровня root

redos логотип

ROS-20250110-13

CVSS3: 9.1
redos
8 месяцев назад

Уязвимость minio

EPSS

Процентиль: 45%
0.0022
Низкий

8.1 High

CVSS3