CVE-2024-55949 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-55949 at MITRE

Description

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v4 Scores
	CNA (GitHub)
Base Score	9.3
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector	Network
Attack Complexity	Low
Attack Requirements	None
Privileges Required	None
User Interaction	None
Vulnerable System Confidentiality Impact	High
Vulnerable System Integrity Impact	High
Vulnerable System Availability Impact	None
Subsequent System Confidentiality Impact	None
Subsequent System Integrity Impact	None
Subsequent System Availability Impact	None
CVSSv4 Version	4.0

No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

openSUSE-SU-2024:14603-1, published Fri Dec 20 18:51:47 2024

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`govulncheck-vulndb >= 0.0.20241218T202206-1.1`	Patchnames: openSUSE-Tumbleweed-2024-14603

SUSE Timeline for this CVE

CVE page created: Mon Dec 16 22:00:32 2024
CVE page last modified: Fri Dec 20 19:59:06 2024