MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
History

Tue, 17 Dec 2024 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Mon, 16 Dec 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 16 Dec 2024 20:15:00 +0000

Type Values Removed Values Added
Description MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
Title Privilege escalation in IAM import API in MinIO
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-16T20:02:00.856Z

Updated: 2024-12-16T20:18:46.452Z

Reserved: 2024-12-13T17:39:32.960Z

Link: CVE-2024-55949

cve-icon Vulnrichment

Updated: 2024-12-16T20:18:38.950Z

cve-icon NVD

Status : Received

Published: 2024-12-16T20:15:13.683

Modified: 2024-12-16T20:15:13.683

Link: CVE-2024-55949

cve-icon Redhat

Severity : Important

Publid Date: 2024-12-16T20:02:00Z

Links: CVE-2024-55949 - Bugzilla