CVE-2024-55949
CVE-2024-55949
9.3
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
References
security-advisories@github.com
https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965fsecurity-advisories@github.com
https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427security-advisories@github.com
https://github.com/minio/minio/pull/20756security-advisories@github.com
https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg