ID

VAR-202204-0667


CVE

CVE-2022-24842


TITLE

Minio Inc.  of  Minio  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408

DESCRIPTION

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // VULMON: CVE-2022-24842

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:ltversion:2022-04-12t06-55-35z

Trust: 1.0

vendor:miniomodel:minioscope:gteversion:2021-12-09t06-19-41z

Trust: 1.0

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

vendor:miniomodel:minioscope:eqversion:2021-12-09t06-19-41z that's all 2022-04-12t06-55-35z

Trust: 0.8

vendor:miniomodel:minioscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-24842
value: HIGH

Trust: 1.8

security-advisories@github.com: CVE-2022-24842
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202204-3225
value: HIGH

Trust: 0.6

VULMON: CVE-2022-24842
value: HIGH

Trust: 0.1

NVD:
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2022-24842
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-24842
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842 // NVD: CVE-2022-24842 // CNNVD: CNNVD-202204-3225

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3225

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202204-3225

CONFIGURATIONS

sources: NVD: CVE-2022-24842

PATCH

title:MinIO Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqbyid.tag?id=190450

Trust: 0.6

sources: CNNVD: CNNVD-202204-3225

EXTERNAL IDS

db:NVDid:CVE-2022-24842

Trust: 3.3

db:JVNDBid:JVNDB-2022-008408

Trust: 0.8

db:CS-HELPid:SB2022062921

Trust: 0.6

db:CNNVDid:CNNVD-202204-3225

Trust: 0.6

db:VULMONid:CVE-2022-24842

Trust: 0.1

sources: VULMON: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842 // CNNVD: CNNVD-202204-3225

REFERENCES

url:https://github.com/minio/minio/security/advisories/ghsa-2j69-jjmg-534q

Trust: 2.5

url:https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3

Trust: 2.5

url:https://github.com/minio/minio/pull/14729

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-24842

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-24842/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062921

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/269.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2022-24842 // JVNDB: JVNDB-2022-008408 // NVD: CVE-2022-24842 // CNNVD: CNNVD-202204-3225

SOURCES

db:VULMONid:CVE-2022-24842
db:JVNDBid:JVNDB-2022-008408
db:NVDid:CVE-2022-24842
db:CNNVDid:CNNVD-202204-3225

LAST UPDATE DATE

2023-12-18T13:37:00.588000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-24842date:2022-04-23T00:00:00
db:JVNDBid:JVNDB-2022-008408date:2023-07-26T08:26:00
db:NVDid:CVE-2022-24842date:2023-07-06T13:51:44.233
db:CNNVDid:CNNVD-202204-3225date:2023-07-07T00:00:00

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-24842date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2022-008408date:2023-07-26T00:00:00
db:NVDid:CVE-2022-24842date:2022-04-12T18:15:09.690
db:CNNVDid:CNNVD-202204-3225date:2022-04-12T00:00:00