Impact
A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.
This issue was reported by @Gbd199 we have not seen any reports of active use of this privilege escalation in the wild.
Patches
This vulnerability is fixed in #14729
commit 66b14a0d32684d527ae8018dc6d9d46ccce58ae3 (HEAD -> master, origin/master, origin/HEAD)
Author: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Mon Apr 11 15:30:28 2022 -0700
Fix service account privilege escalation (#14729)
Ensure that a regular unprivileged user is unable to create service accounts for other users/root.
Workarounds
There is a workaround by explicitly adding admin:CreateServiceAccount
deny policy, however, this, in turn, denies the user to create his/her own service accounts as well.
References
PR #14729 explains this, releases since RELEASE.2021-12-09T06-19-41Z
are affected. Releases before RELEASE.2021-12-09T06-19-41Z
are not affected by this issue.
For more information
Please email us security@min.io
Impact
A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials.
This issue was reported by @Gbd199 we have not seen any reports of active use of this privilege escalation in the wild.
Patches
This vulnerability is fixed in #14729
Workarounds
There is a workaround by explicitly adding
admin:CreateServiceAccount
deny policy, however, this, in turn, denies the user to create his/her own service accounts as well.References
PR #14729 explains this, releases since
RELEASE.2021-12-09T06-19-41Z
are affected. Releases beforeRELEASE.2021-12-09T06-19-41Z
are not affected by this issue.For more information
Please email us security@min.io