CVE-2024-55949

Privilege escalation in IAM import API in MinIO

Description

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

Category

9.3
CVSS
Severity: Critical
CVSS 4.0 •
EPSS 0.12%
Affected: minio minio
Published at:
Updated at:

References

Link Tags
https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg
https://github.com/minio/minio/pull/20756
https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f
https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427

Frequently Asked Questions

What is the severity of CVE-2024-55949?
CVE-2024-55949 has been scored as a critical severity vulnerability.
How to fix CVE-2024-55949?
To fix CVE-2024-55949, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-55949 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-55949 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-55949?
CVE-2024-55949 affects minio minio.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.