CVE-2023-28434 is a vulnerability in Minio
Published on March 22, 2023
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
Known Exploited Vulnerability
This MinIO Security Feature Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
The following remediation steps are recommended / required by October 10, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-28434 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.
Products Associated with CVE-2023-28434
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-28434 are published in these products:
What versions of Minio are vulnerable to CVE-2023-28434?
- Minio Fixed in Version 2023-03-20t20-16-18z