CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.

Published: Mar 22, 2023
Updated: May 9, 2024
CVE: CVE-2023-28434
GHSA: GHSA-2pxw-r47w-4p8c
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-269

Affected Software
References

Software	From	Fixed in
minio / minio	-	2023-03-20t20-16-18z
github.com/minio/minio	-	0.0.0-202303200415

https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
https://github.com/minio/minio/pull/16849
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c

Vulnerability Database

CVE-2023-28434

Deep Security Visibility Without the Complexity