CVE-2023-28434

Warnung

Exploit

EPSS 6.74%
Veröffentlicht 22.03.2023 21:15:18
Zuletzt bearbeitet 26.02.2026 15:03:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Minio ≫ Minio Version < 2023-03-20t20-16-18z

19.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

MinIO Security Feature Bypass Vulnerability

Schwachstelle

MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.74%	0.931

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5

Patch

https://github.com/minio/minio/pull/16849

Exploit

Issue Tracking

https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-28434

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28434

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28434

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-28434

19.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog