VDB
CVE-2023-28434
CVE-2023-28434
PUBLISHED
KEV
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
EPSS 52.09% · 98.0th percentile
Risk Scores
EPSS Score
52.09%
98.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | minio | 0 |
| Bitnami | minio | 0 |
Timeline
- Mar 22, 2023 CVE Published
- Mar 22, 2023 PoC Published
- Mar 23, 2023 EPSS Score
- Mar 23, 2023 PoC Published
- Mar 23, 2023 Nuclei Template
- Mar 23, 2023 Fix Commit
- Mar 23, 2023 PoC Published
- Mar 27, 2023 PoC Published
- Jun 8, 2023 EPSS Score
- Aug 23, 2023 EPSS Score
- Sep 4, 2023 PoC Published
- Sep 13, 2023 PoC Published
References
- https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5 url
- https://github.com/minio/minio/pull/16849 url
- https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c url
- https://nvd.nist.gov/vuln/detail/CVE-2023-28434 url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28434 url