Xske

**Name of the Vulnerable Software and Affected Versions** MinIO versions prior to RELEASE.2024-01-31T20-20-33Z **Description** The issue is related to the inheritance of permissions by access keys in MinIO, a high-performance object storage system. When an access key is created, it inherits the permissions of the parent key, including `admin:*` actions, unless `admin` rights are explicitly denied somewhere above in the access-key hierarchy. This allows access keys to override their own `s3` permissions to something more permissive. The estimated number of potentially affected devices worldwide is around 322,400, mainly distributed in China, the United States, and other countries. **Recommendations** To resolve the issue, update to MinIO RELEASE.2024-01-31T20-20-33Z or later, which includes the fix for the permission checks for editing access keys. As a temporary workaround, consider explicitly denying `admin` actions on access keys to prevent privilege escalation. Restrict access to the `UpdateServiceAccountAdminAction` permission to minimize the risk of exploitation. Avoid using the `admin:*` actions in access keys until the issue is resolved.