⚠ Actively exploited
Added to CISA KEV on 2023-09-19. Federal agencies required to patch by 2023-10-10. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-28434Improper Privilege Management in Minio

CWE-269Improper Privilege Management8 documents7 sources
Severity
8.8HIGHNVD
EPSS
52.1%
top 2.08%
CISA KEV
KEV
Added 2023-09-19
Due 2023-10-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
MinioGithub.com Minio Minio
Timeline
PublishedMar 22
KEV addedSep 19
KEV dueOct 10
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5minio/minio< RELEASE.2023-03-20T20-16-18Z
NVDminio/minio< 2023-03-20t20-16-18z
Gogithub.com/minio_minio< 0.0.0-202303200415

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Privilege Escalation on Linux/MacOS2023-09-05
OSV
Privilege Escalation on Linux/MacOS2023-09-05
OSV
CVE-2023-28434: Minio is a Multi-Cloud Object Storage framework2023-03-22
VulnCheck
MinIO Security Feature Bypass Vulnerability2023

📋Vendor Advisories

1
CISA
MinIO Security Feature Bypass Vulnerability2023-09-19

🕵️Threat Intelligence

1
Greynoiseio
The Seventh Day Of Tagsmas (2023): MinIO Information Disclosure Attempt (CVE-2023-28432)

📄Research Papers

1
CTF
minioday / README2024