CVE-2022-24842

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2022-04-12T06-55-35Z

Description A security issue was found in MinIO where a non-admin user can create service accounts for root or other admin users and then assume their access policies via the generated credentials, allowing the user to escalate privilege to that of the root user.

Recommendations For versions prior to RELEASE.2022-04-12T06-55-35Z, update to RELEASE.2022-04-12T06-55-35Z or later to resolve the issue. As a temporary workaround, consider explicitly adding an admin:CreateServiceAccount deny policy, however, this will deny the user the ability to create their own service accounts as well.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2022-3382

ALT-PU-2023-1522

ALT-PU-2023-1908

ALT-PU-2023-2074

ALT-PU-2024-17529

BIT-MINIO-2022-24842

CVE-2022-24842

GHSA-2J69-JJMG-534Q

Affected Products

Alt Linux

Minio

CVE-2022-24842

Weakness Enumeration

Related Identifiers

Affected Products

References · 17