CVE-2023-28432 is a vulnerability in Minio
Published on March 22, 2023
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Known Exploited Vulnerability
This MinIO Information Disclosure Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure.
The following remediation steps are recommended / required by May 12, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2023-28432 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Products Associated with CVE-2023-28432
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-28432 are published in these products:
What versions of Minio are vulnerable to CVE-2023-28432?
- Minio Version 2019-12-17t23-16-33z Fixed in Version 2023-03-20t20-16-18z