← back
CVE-2023-28432

Minio Information Disclosure in Cluster Deployment

CVSS 7.5 HIGHEPSS 84.0%● KEVCWE-200
In short

MinIO in cluster mode was leaking sensitive environment variables, including secret keys and root passwords, to unauthorized users. This allows attackers to gain full access to the storage system.

Technical detail

Information disclosure vulnerability in MinIO cluster deployments (RELEASE.2019-12-17T23-16-33Z through RELEASE.2023-03-20T20-16-18Z) where environment variables containing credentials (MINIO_SECRET_KEY, MINIO_ROOT_PASSWORD) are exposed via API responses or logs without proper access controls. Exploitation requires network access to the MinIO cluster endpoints.

Summary generated and translated by AI from the official description.
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
minio · minio
public PoCs found17
githubgithub.com/MzzdToT/CVE-2023-2843237githubgithub.com/Mr-xn/CVE-2023-2843234githubgithub.com/acheiii/CVE-2023-2843215githubgithub.com/Chocapikk/CVE-2023-2843211githubgithub.com/gobysec/CVE-2023-2843210githubgithub.com/Cuerz/CVE-2023-2843210githubgithub.com/Okaytc/minio_unauth_check7githubgithub.com/yTxZx/CVE-2023-284323githubgithub.com/BitWiz4rd/CVE-2023-284322githubgithub.com/steponeerror/Cve-2023-28432-2githubgithub.com/unam4/CVE-2023-28432-minio_update_rce1githubgithub.com/C1ph3rX13/CVE-2023-284321githubgithub.com/LHXHL/Minio-CVE-2023-284321githubgithub.com/TaroballzChen/CVE-2023-28432-metasploit-scanner1githubgithub.com/h0ng10/CVE-2023-28432_docker0githubgithub.com/NET-Flowers/CVE-2023-284320githubgithub.com/CHINA-china/MinIO_CVE-2023-28432_EXP0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Zhttps://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3qhttps://twitter.com/Andrew___Morris/status/1639325397241278464https://viz.greynoise.io/tag/minio-information-disclosure-attempthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28432https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean