CVE-2024-55949

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2024-12-13T22-19-12Z

Description The issue is related to a privilege escalation vulnerability in the IAM import API of MinIO, which is a high-performance, S3 compatible object store. This vulnerability allows any user to gain full admin privileges. The problem is caused by missing permissions checking in the API, allowing a user to change their policy mapping. All users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f.

Recommendations To resolve the issue, upgrade to RELEASE.2024-12-13T22-19-12Z or later. As a temporary workaround, consider blocking external access to the /minio/admin/v2/import-iam and /minio/admin/v3/import-iam-v2 API endpoints, for example, by using a load balancer or firewall such as nginx.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALT-PU-2025-1803

ALT-PU-2025-1839

ALT-PU-2025-1841

BDU:2024-11410

BIT-MINIO-2024-55949

CVE-2024-55949

GHSA-CWQ8-G58R-32HG

GO-2024-3336

OPENSUSE-SU-2024:14603-1

Affected Products

Alt Linux

Minio

Red Os

CVE-2024-55949

Weakness Enumeration

Related Identifiers

Affected Products

References · 37