Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-24842

Good to know:

icon

Date: April 12, 2022

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.

Language: Go

Severity Score

Related Resources (5)

https://github.com/minio/minio/pull/14729
https://nvd.nist.gov/vuln/detail/CVE-2022-24842
https://github.com/minio/minio/security/advisories/GHSA-2j69-jjmg-534q
https://github.com/minio/minio/commit/66b14a0d32684d527ae8018dc6d9d46ccce58ae3
https://www.mend.io/vulnerability-database/CVE-2022-24842

Severity Score

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Top Fix

icon

Upgrade Version

Upgrade to version RELEASE.2022-04-12T06-55-35Z

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): COMPLETE
Integrity (I): COMPLETE
Availability (A): COMPLETE
Additional information:

Do you need more information?

Contact Us