Homepage
About Snyk

Improper Privilege Management Affecting github.com/minio/minio/cmd package, versions *

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    0.21% (60th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMINIOMINIOCMD-6226528
  • published 26 Apr 2024
  • disclosed 31 Jan 2024
  • credit xSke, NiklasBeierl
Report a new vulnerability Found a mistake?

Introduced: 31 Jan 2024

CVE-2024-24747 Open this link in a new tab
CWE-269 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Improper Privilege Management due to the inheritance of permissions during the creation of an access key. An attacker can escalate privileges and override s3 permissions to gain more permissive access by creating a new access key that inherits admin:* actions from the parent key.

Workaround

Explicitly deny admin actions on access keys.

CVSS Scores

version 3.1
Expand this section

Snyk

8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high