Sign-up

ID

VAR-202204-0667


CVE

CVE-2022-24842


TITLE

Minio Inc.  of  Minio  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408

DESCRIPTION

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // VULMON: CVE-2022-24842

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2022-04-12t06-55-35z

Trust: 1.0

vendor:miniomodel:minioscope:gteversion:2021-12-09t06-19-41z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

vendor:miniomodel:minioscope:eqversion:2021-12-09t06-19-41z that's all 2022-04-12t06-55-35z

Trust: 0.8

vendor:miniomodel:minioscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-24842
value: HIGH

Trust: 1.8

security-advisories@github.com: CVE-2022-24842
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202204-3225
value: HIGH

Trust: 0.6

VULMON: CVE-2022-24842
value: HIGH

Trust: 0.1

NVD:
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2022-24842
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-24842
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842 // NVD: CVE-2022-24842 // CNNVD: CNNVD-202204-3225

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3225

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202204-3225

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2022-24842

PATCH
title:MinIO Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=190450
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202204-3225

EXTERNAL IDS
db:NVDid:CVE-2022-24842
Trust: 3.3
db:JVNDBid:JVNDB-2022-008408
Trust: 0.8
db:CS-HELPid:SB2022062921
Trust: 0.6
db:CNNVDid:CNNVD-202204-3225
Trust: 0.6
db:VULMONid:CVE-2022-24842
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-24842 // 
            
            
            
            JVNDB: JVNDB-2022-008408 // 
            
            
            
            NVD: CVE-2022-24842 // 
            
            
            
            CNNVD: CNNVD-202204-3225

REFERENCES
url:https://github.com/minio/minio/security/advisories/ghsa-2j69-jjmg-534q
Trust: 2.5
url:https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3
Trust: 2.5
url:https://github.com/minio/minio/pull/14729
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2022-24842
Trust: 0.8
url:https://cxsecurity.com/cveshow/cve-2022-24842/
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2022062921
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/269.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2022-24842 // 
            
            
            
            JVNDB: JVNDB-2022-008408 // 
            
            
            
            NVD: CVE-2022-24842 // 
            
            
            
            CNNVD: CNNVD-202204-3225

SOURCES
db:VULMONid:CVE-2022-24842
db:JVNDBid:JVNDB-2022-008408
db:NVDid:CVE-2022-24842
db:CNNVDid:CNNVD-202204-3225

LAST UPDATE DATE
2023-12-18T13:37:00.588000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2022-24842date:2022-04-23T00:00:00
db:JVNDBid:JVNDB-2022-008408date:2023-07-26T08:26:00
db:NVDid:CVE-2022-24842date:2023-07-06T13:51:44.233
db:CNNVDid:CNNVD-202204-3225date:2023-07-07T00:00:00

SOURCES RELEASE DATE
db:VULMONid:CVE-2022-24842date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-008408date:2023-07-26T00:00:00
db:NVDid:CVE-2022-24842date:2022-04-12T18:15:09.690
db:CNNVDid:CNNVD-202204-3225date:2022-04-12T00:00:00