CVE-2024-55949
Privilege escalation in IAM import API in MinIO
EPSS 0.41%
Description
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.
How to fix CVE-2024-55949
To remediate CVE-2024-55949, upgrade the affected package to a fixed version below.
- —upgrade to 2024.12.13 or later
- —upgrade to 0.0.0-20241213221912-68b004a48f41 or later
- —upgrade to 0.0.0-20241213221912-68b004a48f41 or later
Is CVE-2024-55949 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 2022.6.23, < 2024.12.13
- >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41
- >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |