8.8
CVE-2023-28433
- EPSS 0.98%
- Veröffentlicht 22.03.2023 21:15:18
- Zuletzt bearbeitet 21.11.2024 07:55:03
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginMinio Privilege Escalation on Windows via Path separator manipulation
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.98% | 0.576 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8
https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6