CVE-2024-24747: 
MinIO vulnerability analysis and mitigation

MinIO, a High Performance Object Storage system, was found to contain a privilege escalation vulnerability (CVE-2024-24747) where access keys could inherit administrative permissions from their parent key. When creating an access key, it would inherit not only s3:* actions but also admin:* actions from the parent key, allowing users to potentially override their own S3 permissions to gain more privileged access unless explicitly denied in the access-key hierarchy (GitHub Advisory).

The vulnerability exists in the permission inheritance mechanism of MinIO's access key system. When a new access key is created, it inherits all permissions including administrative actions (admin:*) from its parent key. Unless administrative rights are explicitly denied somewhere in the access-key hierarchy, access keys can modify their own S3 permissions to gain elevated access. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows for privilege escalation where a user with limited access to specific buckets could potentially gain access to the entire deployment. An attacker could exploit this vulnerability to override their S3 permissions and gain unauthorized access to resources beyond their intended scope (GitHub Advisory).

The vulnerability has been patched in version RELEASE.2024-01-31T20-20-33Z. The fix ensures that only users with explicit UpdateServiceAccountAdminAction permission can edit access keys. The patch modifies the permission checks for editing access keys to prevent privilege escalation via service accounts (GitHub Release, GitHub Advisory).