MinIO is vulnerable to privilege escalation on Linux/MacOS
CVE-2023-28434
Key Information:
Badges
What is CVE-2023-28434?
In Minio, a Multi-Cloud Object Storage framework, a vulnerability allows attackers to bypass metadata bucket name checking through crafted requests. This enables unauthorized users, possessing credentials with โarn:aws:s3:::*โ permissions and Console API access, to upload objects into any bucket. To mitigate this issue, users should upgrade to the patched version released on 2023-03-20 or enable browser API access while disabling the โMINIO_BROWSER=offโ setting.
CISA has reported CVE-2023-28434
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-28434 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
minio < RELEASE.2023-03-20T20-16-18Z
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CybersecurityNewsReferences
EPSS Score
46% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ฐ
First article discovered by CybersecurityNews
- ๐ฆ
CISA Reported
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved