GitHub_MCVELIST:CVE-2023-28432CVE-2023-28432 Minio Information Disclosure in Cluster Deployment
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
0.865 High
EPSS
Percentile
98.6%
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
CNA Affected
[
{
"vendor": "minio",
"product": "minio",
"versions": [
{
"version": ">= RELEASE.2019-12-17T23-16-33Z, < RELEASE.2023-03-20T20-16-18Z",
"status": "affected"
}
]
}
]References
github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
twitter.com/Andrew___Morris/status/1639325397241278464
viz.greynoise.io/tag/minio-information-disclosure-attempt
www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
0.865 High
EPSS
Percentile
98.6%