CVE-2023-28434

Опубликовано: 22 мар. 2023

Источник: nvd

CVSS3: 8.8

EPSS Средний

Описание

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.

Ссылки

https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
Patch
https://github.com/minio/minio/pull/16849
Exploit
Issue Tracking
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
Vendor Advisory
https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
Patch
https://github.com/minio/minio/pull/16849
Exploit
Issue Tracking
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434
US Government Resource

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

Версия до 2023-03-20t20-16-18z (исключая)

EPSS

Процентиль: 98%

0.52087

Средний

8.8 High

CVSS3

Дефекты

CWE-269

NVD-CWE-noinfo

Связанные уязвимости

CVE-2023-28434

CVSS3: 8.8

debian

около 3 лет назад

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023 ...

GHSA-2pxw-r47w-4p8c

CVSS3: 8.8

github

больше 2 лет назад

Privilege Escalation on Linux/MacOS

BDU:2023-05199

CVSS3: 8.8

fstec

около 3 лет назад

Уязвимость компонента PostPolicyBucket сервера хранения объектов MinIO, позволяющая нарушителю выполнить произвольный код

ROS-20240807-05

CVSS3: 8.8

redos

больше 1 года назад

Множественные уязвимости minio

EPSS

Процентиль: 98%

0.52087

Средний

8.8 High

CVSS3

Дефекты

CWE-269

NVD-CWE-noinfo