Minio Information Disclosure in Cluster Deployment
CVE-2023-28432

7.5HIGH

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 22 March 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%🦅 CISA Reported📰 News Worthy

What is CVE-2023-28432?

In certain versions of MinIO, a Multi-Cloud Object Storage framework, an information disclosure vulnerability allows all environment variables, including sensitive credentials such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, to be exposed. This issue affects users running cluster deployments from RELEASE.2019-12-17T23-16-33Z up to RELEASE.2023-03-20T20-16-18Z. It is imperative for all users of distributed deployments to upgrade to the latest version to remedy this vulnerability and protect sensitive data from unauthorized access.

CISA has reported CVE-2023-28432

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-28432 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

minio >= RELEASE.2019-12-17T23-16-33Z, < RELEASE.2023-03-20T20-16-18Z

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-28432
Created by Mr-xn

CVE-2023-28432
Created by MzzdToT

CVE-2023-28432
Created by gobysec

News Articles

CybersecurityNews

CVE-2023-28434 CVE-2023-28432

Hackers Weaponizing MinIO Storage System Flaws to Execute Remote Code

MinIO is an open-source high-performance Object storage service that uses Amazon S3 API. These vulnerabilities existed on the MinIO - Amazon S3 cloud storage service.