Summary: A critical vulnerability in MinIO allows users to escalate their privileges to administrator level, posing a severe risk to data security. This flaw, tracked as CVE-2024-55949, affects all MinIO versions since June 2022 and requires immediate patching.
Threat Actor: Unknown | unknown
Victim: MinIO Users | MinIO Users
Key Point :
- Vulnerability CVE-2024-55949 has a CVSSv4 score of 9.3, indicating critical severity.
- Attackers can exploit the IAM import API to modify user permissions using a malicious iam-info.zip file.
- This vulnerability affects all MinIO versions released since June 23, 2022, with no known workarounds.
- MinIO users are urged to update to the patched version (RELEASE.2024-12-13T22-19-12Z) immediately.
- Previous vulnerabilities in 2023 also allowed unauthorized access and execution of arbitrary code.
A newly discovered vulnerability in MinIO, the popular open-source object storage platform, could allow any user to escalate their privileges to the administrator level, posing a significant risk to data security.
The vulnerability tracked as CVE-2024-55949 and assigned a CVSSv4 score of 9.3 (critical), exists in the IAM import API. Due to missing permission checks, attackers can exploit this flaw to modify their own user permissions by crafting a malicious iam-info.zip file and uploading it via the mc admin cluster iam import command. This allows them to grant themselves full administrative control, effectively hijacking the entire MinIO deployment.
This vulnerability affects all MinIO versions released since June 23, 2022, and impacts all users, regardless of their initial privileges.
MinIO users are strongly urged to update their deployments to the patched version (RELEASE.2024-12-13T22-19-12Z) immediately. There are no known workarounds for this vulnerability.
This is not the first time MinIO has faced security challenges. In 2023, two other critical vulnerabilities (CVE-2023-28432 and CVE-2023-28434) were exploited by attackers to gain unauthorized access to sensitive data and execute arbitrary code.
CVE-2024-55949 poses a significant privilege escalation risk with no available workarounds. As MinIO systems are critical for modern data workloads, patching immediately is imperative. Delayed action could expose organizations to severe breaches and data compromises.
Related Posts:
