CVE-2023-28434
MinIO is vulnerable to privilege escalation on Linux/MacOS
In short
MinIO has a flaw that lets attackers with certain permissions bypass bucket protection and place files in any storage bucket they shouldn't access. This happens through specially crafted requests that trick the security checks, and it only works if the attacker already has broad permissions and the Console API is enabled.
Technical detail
The vulnerability exists in PostPolicyBucket processing where metadata bucket name validation can be bypassed via crafted requests (CWE-269: Improper Access Control). An authenticated attacker with `arn:aws:s3:::*` permissions and enabled Console API access can write objects to arbitrary buckets. The flaw was patched in RELEASE.2023-03-20T20-16-18Z.
Summary generated and translated by AI from the official description.
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
minio · miniopublic PoCs found — 1
githubgithub.com/AbelChe/evil_minio★ 319⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →