Homepage
About Snyk

Improper Privilege Management Affecting github.com/minio/minio/cmd package, versions *

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 0.21% (59th percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMMINIOMINIOCMD-6226528
  • published 26 Apr 2024
  • disclosed 31 Jan 2024
  • credit xSke, NiklasBeierl
Report a new vulnerability Found a mistake?

Introduced: 31 Jan 2024

CVE-2024-24747 Open this link in a new tab
CWE-269 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

github.com/minio/minio/cmd is an open source object storage server compatible with Amazon S3 APIs.

Affected versions of this package are vulnerable to Improper Privilege Management due to the inheritance of permissions during the creation of an access key. An attacker can escalate privileges and override s3 permissions to gain more permissive access by creating a new access key that inherits admin:* actions from the parent key.

Workaround

Explicitly deny admin actions on access keys.