CVE-2024-24747

HIGH

MinIO < 0.0.0-20240131185645-0ae4915a9391 - Improper Privilege Management via Access Key Permission Inheritance

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-24747. PoCs published by Jenson Zhao, Immer5ion.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in MinIO versions prior to RELEASE.2024-01-31T20-20-33Z. It creates a new service account with limited permissions, then escalates its privileges to gain access to additional buckets.

Description

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.

Exploits (2)

exploitdb WORKING POC

by Jenson Zhao · textremotego

https://www.exploit-db.com/exploits/51976

View Code ZIP pw:eip

This exploit demonstrates a privilege escalation vulnerability in MinIO versions prior to RELEASE.2024-01-31T20-20-33Z. It creates a new service account with limited permissions, then escalates its privileges to gain access to additional buckets.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: MinIO < RELEASE.2024-01-31T20-20-33Z

Auth required

Prerequisites: Valid MinIO credentials · Network access to MinIO API and console ports

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by Immer5ion · pythonpoc

https://github.com/Immer5ion/cve_poc/tree/main/CVE-2024-24747.py

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2024-24747, a privilege escalation vulnerability in MinIO. The PoC demonstrates the vulnerability by creating new buckets and access keys, then verifying the exploit's success by comparing bucket lists before and after exploitation.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: MinIO < RELEASE.2024-01-31T20-20-33Z

Auth required

Prerequisites: valid MinIO access key and secret key · network access to MinIO API

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Patch, Vendor Advisory x_refsource_confirm

https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4

Patch x_refsource_misc

https://github.com/minio/minio/commit/0ae4915a9391ef4b3ec80f5fcdcf24ee6884e776

View Patch ZIP pw:eip

Patch, Release Notes x_refsource_misc

https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z

Scores

CVSS v3 8.8

EPSS 0.2706

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (2)

minio/minio 2024-01-31t20-20-33z

minio/minio 0 - 0.0.0-20240131185645-0ae4915a9391Go

Published Jan 31, 2024

Tracked Since Feb 18, 2026