MinIO is vulnerable to privilege escalation on Linux/MacOS
CVE-2023-28434

8.8HIGH

Key Information:

Vendor: Minio
Status: Minio
Vendor: CVE Published:; 22 March 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 33%🦅 CISA Reported📰 News Worthy

What is CVE-2023-28434?

In Minio, a Multi-Cloud Object Storage framework, a vulnerability allows attackers to bypass metadata bucket name checking through crafted requests. This enables unauthorized users, possessing credentials with ‘arn:aws:s3:::*’ permissions and Console API access, to upload objects into any bucket. To mitigate this issue, users should upgrade to the patched version released on 2023-03-20 or enable browser API access while disabling the ‘MINIO_BROWSER=off’ setting.

CISA has reported CVE-2023-28434

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-28434 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

minio < RELEASE.2023-03-20T20-16-18Z

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

evil_minio
Created by AbelChe

News Articles

CybersecurityNews

CVE-2023-28434 CVE-2023-28432

Hackers Weaponizing MinIO Storage System Flaws to Execute Remote Code

MinIO is an open-source high-performance Object storage service that uses Amazon S3 API. These vulnerabilities existed on the MinIO - Amazon S3 cloud storage service.