CVE-2023-28434
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| minio | minio | < RELEASE.2023-03-20T20-16-18Z | affected |
Weaknesses
- CWE-269: CWE-269: Improper Privilege Management
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
- https://github.com/minio/minio/pull/16849
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
- https://github.com/minio/minio/pull/16849
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.