Vulnerability Description
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Minio | Minio | < 2023-03-20t20-16-18z |
Related Weaknesses (CWE)
References
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5Patch
- https://github.com/minio/minio/pull/16849ExploitIssue Tracking
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cVendor Advisory
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5Patch
- https://github.com/minio/minio/pull/16849ExploitIssue Tracking
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cVendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-US Government Resource
FAQ
What is CVE-2023-28434?
CVE-2023-28434 is a vulnerability with a CVSS score of 8.8 (HIGH). Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket w...
How severe is CVE-2023-28434?
CVE-2023-28434 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28434?
Check the references section above for vendor advisories and patch information. Affected products include: Minio Minio.