Improper Privilege Management

CVE-2022-24842

High

8.8/10

Summary

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where a non-admin user is able to create service accounts for a root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability affects versions RELEASE.2021-12-09T06-19-41Z prior to RELEASE.2022-04-12T06-55-35Z, and has been resolved in pull request #14729. Users unable to upgrade may workaround this issue by explicitly adding an `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-269 - Improper Privilege Management

An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.

References

Advisory Timeline

Published Apr 12, 2022

Improper Privilege Management

CVE-2022-24842

Summary

CWE-269 - Improper Privilege Management

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS