minio minio CVE-2023-28432 is a vulnerability in Minio
Published on March 22, 2023

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

Vendor Advisory NVD

Known Exploited Vulnerability

This MinIO Information Disclosure Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure.

The following remediation steps are recommended / required by May 12, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2023-28432 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.


Products Associated with CVE-2023-28432

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-28432 are published in these products:

 

What versions of Minio are vulnerable to CVE-2023-28432?