CVE-2024-24747

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2024-01-31T20-20-33Z

Description The issue is related to the inheritance of permissions by access keys in MinIO, a high-performance object storage system. When an access key is created, it inherits the permissions of the parent key, including admin:* actions, unless admin rights are explicitly denied somewhere above in the access-key hierarchy. This allows access keys to override their own s3 permissions to something more permissive. The estimated number of potentially affected devices worldwide is around 322,400, mainly distributed in China, the United States, and other countries.

Recommendations To resolve the issue, update to MinIO RELEASE.2024-01-31T20-20-33Z or later, which includes the fix for the permission checks for editing access keys. As a temporary workaround, consider explicitly denying admin actions on access keys to prevent privilege escalation. Restrict access to the UpdateServiceAccountAdminAction permission to minimize the risk of exploitation. Avoid using the admin:* actions in access keys until the issue is resolved.