A newly discovered vulnerability in MinIO, the popular open-source object storage platform, could allow any user to escalate their privileges to the administrator level, posing a significant risk to data security.
The vulnerability tracked as CVE-2024-55949 and assigned a CVSSv4 score of 9.3 (critical), exists in the IAM import API. Due to missing permission checks, attackers can exploit this flaw to modify their own user permissions by crafting a malicious iam-info.zip file and uploading it via the mc admin cluster iam import command. This allows them to grant themselves full administrative control, effectively hijacking the entire MinIO deployment.
This vulnerability affects all MinIO versions released since June 23, 2022, and impacts all users, regardless of their initial privileges.
MinIO users are strongly urged to update their deployments to the patched version (RELEASE.2024-12-13T22-19-12Z) immediately. There are no known workarounds for this vulnerability.
This is not the first time MinIO has faced security challenges. In 2023, two other critical vulnerabilities (CVE-2023-28432 and CVE-2023-28434) were exploited by attackers to gain unauthorized access to sensitive data and execute arbitrary code.
CVE-2024-55949 poses a significant privilege escalation risk with no available workarounds. As MinIO systems are critical for modern data workloads, patching immediately is imperative. Delayed action could expose organizations to severe breaches and data compromises.
Related Posts:
- CISA warns of MinIO privilege escalation flaw exploited in attacks
- CVE-2023-28432: High severity security vulnerability in MinIO
- CISA adds PaperCut (CVE-2023-27350) flaw to its Known Exploited Vulnerabilities Catalog
