Closed
Description
CVE-2024-24747 references github.com/minio/minio, which may be a Go module.
Description:
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3:* actions, but also admin:* actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able to simply override their own s3 permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-24747
- JSON: https://github.com/CVEProject/cvelist/tree/ee90e4ba1fff51febd6b16e888afac6a14a162ac/2024/24xxx/CVE-2024-24747.json
- advisory: GHSA-xx8w-mq23-29g4
- fix: minio/minio@0ae4915
- web: https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z
- Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby
Cross references:
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206 LEGACY_FALSE_POSITIVE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267 LEGACY_FALSE_POSITIVE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318 LEGACY_FALSE_POSITIVE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322 LEGACY_FALSE_POSITIVE
See doc/triage.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/minio/minio
vulnerable_at: 0.0.0-20240131203533-ee0055b92900
packages:
- package: minio
cves:
- CVE-2024-24747
references:
- advisory: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4
- fix: https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776
- web: https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z