Excessive privileges In github.com/minio/minio
Description
MinIO vulnerable to privilege escalation in IAM import API
Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
Patches
commit f246c9053f9603e610d98439799bdd2a6b293427 Author: Aditya Manthramurthy <[email protected]> Date: Wed Dec 11 18:09:40 2024 -0800 fix: Privilege escalation in IAM import API (#20756) This API had missing permissions checking, allowing a user to change their policy mapping by:...
Workarounds
There are no workarounds possible, all users are advised to upgrade immediately if you don't run MinIO behind a load balancer.
Behind a load balancer / firewall such as nginx .
location /minio/admin/v2/import-iam { ... }
location /minio/admin/v3/import-iam-v2 { ...
Following locations can be blocked from external access, temporarily disallowing the API calls completely until the deployments can be upgraded.
References
Refer https://github.com/minio/minio/pull/20756 for more information
Binary Releases
AiStor Containers
quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z.fips
AiStor Binaries
Architecture: linux/amd64
Architecture: linux/arm64
Architecture: windows/amd64
Community Containers
quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z.fips
Community Binaries
Architecture: linux/amd64
Architecture: linux/arm64
Architecture: windows/amd64
Credits
Credit goes to National Security Agency for reporting this issue.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.0.0-20241213221912-68b004a48f41 |
Aliases
References