CVE-2023-28434

Name
CVE-2023-28434
Description
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
MISC https://github.com/minio/minio/pull/16849
MISC https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* minio >= None < 2023-03-20t20-16-18z

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
minio 3.17-community 0.20221029.062133-r5 Drew DeVault <sir@cmpwn.com> possibly vulnerable
minio 3.18-community 0.20230920.224955-r2 Celeste <cielesti@protonmail.com> possibly vulnerable
minio 3.19-community 0.20240131.202033-r2 Celeste <cielesti@protonmail.com> possibly vulnerable
minio edge-community 0.20240418.190919-r0 Celeste <cielesti@protonmail.com> possibly vulnerable