x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-55949

[GoVulnBot]

Advisory CVE-2024-55949 references a vulnerability in the following Go modules:

Module
github.com/minio/minio

Description:
MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f. This issue has been addressed in commit f246c9053f9603e610d98439799bdd2a6b293427 which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-55949
• FIX: minio/minio@580d9db
• FIX: minio/minio@f246c90
• FIX: fix: Privilege escalation in IAM import API minio/minio#20756
• WEB: GHSA-cwq8-g58r-32hg

Cross references:

• github.com/minio/minio appears in 15 other report(s):
  • data/excluded/GO-2022-0285.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0421.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0479.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0756.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1591.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1634.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1667.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432 #1667) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1668.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28433 #1668) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1669.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28434 #1669) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2206.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2018-1000538 #2206) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2267.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2020-11012 #2267) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2318.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21287 #2318) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2322.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-21362 #2322) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2499.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-24747 #2499)
  • data/reports/GO-2024-2886.yaml (x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2024-36107 #2886)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/minio/minio
      vulnerable_at: 0.0.0-20241215225012-02f770a0c00a
summary: CVE-2024-55949 in github.com/minio/minio
cves:
    - CVE-2024-55949
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-55949
    - fix: https://github.com/minio/minio/commit/580d9db85e04f1b63cc2909af50f0ed08afa965f
    - fix: https://github.com/minio/minio/commit/f246c9053f9603e610d98439799bdd2a6b293427
    - fix: https://github.com/minio/minio/pull/20756
    - web: https://github.com/minio/minio/security/advisories/GHSA-cwq8-g58r-32hg
source:
    id: CVE-2024-55949
    created: 2024-12-16T22:01:18.266895179Z
review_status: UNREVIEWED

[tatianab]

Duplicate of #3336