ID

VAR-202401-1568


CVE

CVE-2024-24747


TITLE

Minio Inc.  of  Minio  Vulnerability in privilege management in

Trust: 0.8

sources: JVNDB: JVNDB-2024-002452

DESCRIPTION

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z. Minio Inc. of Minio Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2024-24747 // JVNDB: JVNDB-2024-002452 // VULMON: CVE-2024-24747

AFFECTED PRODUCTS

vendor:miniomodel:minioscope:eqversion:2024-01-31t20-20-33z

Trust: 1.8

vendor:miniomodel:minioscope:eqversion: -

Trust: 0.8

vendor:miniomodel:minioscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2024-002452 // NVD: CVE-2024-24747

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2024-24747
value: HIGH

Trust: 1.8

security-advisories@github.com: CVE-2024-24747
value: HIGH

Trust: 1.0

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2024-24747
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-002452 // NVD: CVE-2024-24747 // NVD: CVE-2024-24747

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:Improper authority management (CWE-269) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-002452 // NVD: CVE-2024-24747

EXTERNAL IDS

db:NVDid:CVE-2024-24747

Trust: 2.7

db:JVNDBid:JVNDB-2024-002452

Trust: 0.8

db:VULMONid:CVE-2024-24747

Trust: 0.1

sources: VULMON: CVE-2024-24747 // JVNDB: JVNDB-2024-002452 // NVD: CVE-2024-24747

REFERENCES

url:https://github.com/minio/minio/security/advisories/ghsa-xx8w-mq23-29g4

Trust: 1.9

url:https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776

Trust: 1.9

url:https://github.com/minio/minio/releases/tag/release.2024-01-31t20-20-33z

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2024-24747

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/269.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2024-24747 // JVNDB: JVNDB-2024-002452 // NVD: CVE-2024-24747

SOURCES

db:VULMONid:CVE-2024-24747
db:JVNDBid:JVNDB-2024-002452
db:NVDid:CVE-2024-24747

LAST UPDATE DATE

2024-02-15T23:13:44.206000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2024-24747date:2024-02-01T00:00:00
db:JVNDBid:JVNDB-2024-002452date:2024-02-14T06:58:00
db:NVDid:CVE-2024-24747date:2024-02-09T15:18:00.510

SOURCES RELEASE DATE

db:VULMONid:CVE-2024-24747date:2024-01-31T00:00:00
db:JVNDBid:JVNDB-2024-002452date:2024-02-14T00:00:00
db:NVDid:CVE-2024-24747date:2024-01-31T22:15:54.813